W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: ISSUE PROXY-AUTHORIZATION: Proposal wording

From: David W. Morris <dwm@xpasc.com>
Date: Thu, 3 Jul 1997 22:39:38 -0700 (PDT)
To: Dave Kristol <dmk@bell-labs.com>
Cc: Henrik Frystyk Nielsen <frystyk@w3.org>, http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.GSO.3.96.970703223837.23842D-100000@shell1.aimnet.com>


On Thu, 3 Jul 1997, Dave Kristol wrote:

> Henrik Frystyk Nielsen wrote:
> > [...]
> > The HTTP protocol does not restrict applications to this simple
> > challenge-response mechanism for access authentication. Additional
> > mechanisms MAY be used, such as encryption at the transport level or via
> > message encapsulation, and with additional header fields specifying
> > authentication information. However, these additional mechanisms are not
> > defined by this specification.
> > Proxies MUST be completely transparent regarding user agent authentication
> > by origin servers. That is, they MUST forward the WWW-Authenticate and
> > Authorization headers untouched, and follow the rules found in section
> > 14.8. Both the Proxy-Authenticate and the Proxy-Authorization header fields
> > are hop-by-hop headers (see section 13.5.1).
> 
> The "MUST" there would make me unhappy.  One of the important functions
> of our experimental LPWA service (<http://lpwa.com>) is to deliberately
> replace a user-entered escape sequence by a proxy-generated identity,
> and one of the places it does so is in the Authorization header.
> 
> I can't think of a good way to say "MUST forward... unless the user
> expects otherwise."  And I'm on vacation right now, so my brain is
> mostly shut down. :-)
> 

Me too ... I have a single user proxy product which is a direct agent
for its owner and only user ... I see no reason to restrict the behavior
of such a proxy.

Dave Morris
Received on Thursday, 3 July 1997 22:42:23 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:46 EDT