W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: Digest Access Authentication proposal - "Authorization"

From: Owen Rees <rtor@ansa.co.uk>
Date: Sat, 25 Mar 1995 00:02:17 +0000
Message-Id: <9503250002.AA02755@plato.ansa.co.uk>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
zurko@osf.org (Mary Ellen Zurko) writes:
> > The credentials are authorization information; "This request is from <username>
> >  who claims the right to access <requested-uri> in <realm>" 
> 
> I'm not sure I see what sense you consider this authorization
> information. As I pointed out, even clear authentication information
> is an input to authorization decisions, so it's not incorrect to call
> even the digest "information for the authorization decision". It does,
> however, confuse people to call either the digest or the credentials
> (in this case) simply "authorization information".

I think I should have said "The credentials contain authorization
information" (rather than "are"). draft-ietf-http-v10-spec-00 says
"credentials containing the authentication information" (in 5.4.5 and
10), and I would argue that in both the Basic and Digest schemes, the
credentials contain information used both in authentication and in
authorization, but not all of the information used in either
process.

Since the credentials contain information used for both purposes, it
might be better to include the syntax rule for the Authorization
header in digest-aa so that "<credentials>" can be used to replace
"Authorization" in various places. I think I was probably reading the
capitalised word as an arbitrary token naming the header containg the
credentials, without thinking how it would read if the capitalisation
were removed or ignored.

Regards,
  Owen Rees <rtor@ansa.co.uk>
Information about ANSA is at <URL:http://www.ansa.co.uk/>.
Received on Friday, 24 March 1995 16:25:06 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:14 EDT