W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Digest auth and domain=

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Fri, 1 May 1998 14:46:16 -0400 (EDT)
Message-Id: <199805011846.OAA09908@aleatory.research.bell-labs.com>
To: http-wg@cuckoo.hpl.hp.com
    3.2.1 The WWW-Authenticate Response Header

    domain
      A space-separated list of URIs, as specified in RFC XURI [7]. The
      intent is that the client could use this information to know the set
      of URIs for which the same authentication information should be sent.
      The URIs in this list may exist on different servers. If this keyword
      is omitted or empty, the client should assume that the domain
      consists of all URIs on the responding server.

I'm uncomfortable with what the words say, and whether they say what
they're meant to say.  In truth I'm concerned about how much they
*don't* say.

I believe one intent is that something like
	domain="/dir/"
means the credentials should be applied to all URIs of the form /dir/*.
But I don't think the words say that.

I also wonder whether implementers think that
	domain="/xyz"
means "URI /xyz and all /xyz/*", or just the URI /xyz.  The notion of
"prefix" (which I think is implied here) is poorly defined (well,
completely undefined), and I don't know what the consensus opinion is.
Moreover, the consensus opinion should be made explicit.

Dave Kristol
Received on Friday, 1 May 1998 11:53:15 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:17 EDT