W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

comments on http-authentication-00

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Fri, 5 Dec 97 12:33:30 EST
Message-Id: <9712051733.AA27553@aleatory.tempo.bell-labs.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I'll bring my usual set of nitpicking editorial comments to the IETF
meeting for personal delivery.  Meanwhile, here are some substantive
ones.

1) Sect 1.2
	[Proxies] MUST forward the WWW-Authenticate and Authorization
	headers untouched....

I would like MUST to be SHOULD.  I've brought this up once before.
There may be services (LPWA, lpwa.com, is one such) whose legitimate
purpose is to provide authentication services for a user, such as
replacing special character sequences in Authorization with a user's
computed identity.  The proxy ought to be able to do so without being
considered non-compliant.

2) Sect 3.2.1, under "nonce"
	... is the dotted quad IP address ...

How to handle IPv6 addresses?

3) Sect 3.2.2, syntax
	should be
	    entity-digest = <"> ...
	    		  ^

	The "date" attribute description bears no mention here of what
	date we're talking about.  I inferred from text much further on
	that it's supposed to mirror the Date header of the
	request/response.

4) Sect 3.2.2, semantics

	Consider sender -> proxy -> receiver.

	The entity-digest incorporates information from headers from
	the sender.  Consider, for example, Date and Content-Length.  A
	proxy could add Date if one were missing.  A proxy could add a
	Content-Length after gobbling up something that the sender sent
	"chunked".

	The receiver wouldn't know that the proxy had added those
	headers.  It would use the added headers in its calculation of
	entity-digest and derive a different value from what the sender
	calculated.

Dave Kristol
Received on Friday, 5 December 1997 09:37:19 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:04 EDT