W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997


From: Dave Kristol <dmk@bell-labs.com>
Date: Thu, 03 Jul 1997 00:15:40 -0400
Message-Id: <33BC1626.2C1A@bell-labs.com>
To: Henrik Frystyk Nielsen <frystyk@w3.org>
Cc: http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/3641
Henrik Frystyk Nielsen wrote:
> [...]
> The HTTP protocol does not restrict applications to this simple
> challenge-response mechanism for access authentication. Additional
> mechanisms MAY be used, such as encryption at the transport level or via
> message encapsulation, and with additional header fields specifying
> authentication information. However, these additional mechanisms are not
> defined by this specification.
> Proxies MUST be completely transparent regarding user agent authentication
> by origin servers. That is, they MUST forward the WWW-Authenticate and
> Authorization headers untouched, and follow the rules found in section
> 14.8. Both the Proxy-Authenticate and the Proxy-Authorization header fields
> are hop-by-hop headers (see section 13.5.1).

The "MUST" there would make me unhappy.  One of the important functions
of our experimental LPWA service (<http://lpwa.com>) is to deliberately
replace a user-entered escape sequence by a proxy-generated identity,
and one of the places it does so is in the Authorization header.

I can't think of a good way to say "MUST forward... unless the user
expects otherwise."  And I'm on vacation right now, so my brain is
mostly shut down. :-)

Dave Kristol
Received on Thursday, 3 July 1997 14:19:50 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:20 UTC