- From: Roy Fielding <fielding@beach.w3.org>
- Date: Wed, 09 Aug 1995 14:45:24 -0400
- To: "Eric W. Sink" <eric@rafiki.spyglass.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>>I would like to avoid getting too involved in
>>the debate over portions of the 1.0 draft, except where it becomes
>>necessary to describe the thinking behind some of the recent changes.
>
>Given the number of surprise changes and objectionable ones at that, I
>believe this is unrealistic.
Who said "like to" had to be realistic?
>>3) WWW-Authenticate
>>
>> The new spec now uses semicolon to separate parameters -- keeping
>> it as comma-separated would prevent people from using more than
>> one AA scheme per resource. This will break existing implementations
>> of Digest and PGP AA. One alternative is to leave WWW-Authenticate
>> as a fixed field (i.e., only describe it for Basic), and define a
>> new syntax for an Authenticate header.
>>
>> The same applies to Authorization.
>
>Let's go for the alternative. Breaking all existing implementations of
>something like this seems unnecessary. If you *must* go for semicolons,
>define a new header.
Keep in mind that existing clients will not recognize the new header.
That may not be a problem if both are provided, but will remain a problem
for the Authorization field.
Another alternative would be to forbid multiple schemes per resource,
or require that applications parse the AA fields such that they can
recover gracefully from unexpected folding.
Perhaps the latter would be best for 1.0?
....Roy T. Fielding Department of ICS, University of California, Irvine USA
Visiting Scholar, MIT/LCS + World-Wide Web Consortium
(fielding@w3.org) (fielding@ics.uci.edu)
Received on Wednesday, 9 August 1995 13:09:19 UTC