mmccool
commented
6 years ago I decided to go ahead and add a qop parameter to the digest scheme. It's part of the current security metadata PR (https://github.com/w3c/wot-thing-description/pull/144) for the TD. One issue: the only valid values for this parameter are "auth" and "auth-int", AFAIK. The default should be "auth", which seems to be the most common setting. In the current TD spec, however, valid values (for enumerated types like this) and default values are not yet documented.
The only issue I'm not sure of is whether this should be a single value or allow an array.
Digest authentication supports various levels of protection, known as qop (quality of protection). Consider adding optional metadata to the digest scheme indicating the qop required by the server. Note: many browsers do not implement the stricter levels, ie auth-int. However, some do, and M2M servers can certainly require them while remaining within the HTTP standard.
The qop parameter should be an array indicating which qop levels the server accepts.
One question, however, is whether “digest” and these alternative qop levels are useful to IoT given its other weaknesses.
Reference: https://en.m.wikipedia.org/wiki/Digest_access_authentication