Henrik Frystyk Nielsen wrote: > [...] > The HTTP protocol does not restrict applications to this simple > challenge-response mechanism for access authentication. Additional > mechanisms MAY be used, such as encryption at the transport level or via > message encapsulation, and with additional header fields specifying > authentication information. However, these additional mechanisms are not > defined by this specification. > Proxies MUST be completely transparent regarding user agent authentication > by origin servers. That is, they MUST forward the WWW-Authenticate and > Authorization headers untouched, and follow the rules found in section > 14.8. Both the Proxy-Authenticate and the Proxy-Authorization header fields > are hop-by-hop headers (see section 13.5.1). The "MUST" there would make me unhappy. One of the important functions of our experimental LPWA service (<http://lpwa.com>) is to deliberately replace a user-entered escape sequence by a proxy-generated identity, and one of the places it does so is in the Authorization header. I can't think of a good way to say "MUST forward... unless the user expects otherwise." And I'm on vacation right now, so my brain is mostly shut down. :-) Dave KristolReceived on Thursday, 3 July 1997 14:19:50 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:46 EDT