W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Regarding Authentication

From: Sambasiva Rao <sams@wipinfo.soft.net>
Date: Thu, 13 Nov 1997 12:12:47 +0500 (GMT+0500)
To: ng <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <Pine.LNX.3.91.971113105550.26780E-100000@nmggw>

Few issues related to Authentication  are as following :

1> In the authentication credentials field defined as following

	credentials  = basic-credentials
			|auth-scheme #auth-param
	in RFC2068.

	a> Does this mean the server must produce parse error if the client 
sends two or more scheme credentials ?( this problem doesn't exist in 
HTTP1.0 as it support only one scheme)
	b> If any server provides this additional functionality of 
parsing(handling) one or more scheme credentials then can that server be 
said as RFC2068 compliant.
2>If the only one scheme is allowed and  if the agent wants to send a request 
with the authentication scheme credentials before the challenge 
(unauthorised response)then it really doesn't have much flexibility.A 
sort of agent side negotiation for the authentication schemes.

  If agent is allowed to sent multiple schemes the following  issues 
araise :-
   1> If an user agent sends 3 schemes and server supports 2 of these 
schemes for the requested realm then
	a>  what must be the action of server ? Should it validate realm with 
 all the 2 possible schemes or it should take the safest  scheme ?
   2> Say if the server validates the realm using two or more schemes 
then if it finds that through one scheme the client is valid and through 
other it is invalid.Then 
	a>what must be the action of the server? 
   It can always be the server specific but 
	a>what is the safest option ?

Regards,
Sam.
	
	 
	
Received on Wednesday, 12 November 1997 22:48:47 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:02 EDT