W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1998

RE: domain attribute in digest auth

From: Paul Leach <paulle@microsoft.com>
Date: Thu, 1 Oct 1998 23:05:35 -0700
Message-Id: <CB6657D3A5E0D111A97700805FFE65875D777C@RED-MSG-51>
To: "'Ronald.Tschalaer@psi.ch'" <Ronald.Tschalaer@psi.ch>, HTTP-WG@hplb.hpl.hp.com


> -----Original Message-----
> From: Ronald.Tschalaer@psi.ch [mailto:Ronald.Tschalaer@psi.ch]
> Sent: Thursday, October 01, 1998 12:45 AM
> 
> [snip]
> > The first change is backwards compatible, so could probably 
> be made at this
> > point if there were  concensus. I actually think that one 
> could say that
> > it's safe to consider all proxies in the same protection 
> space, regardless
> > of what "domain" says. One shouldn't configure one's 
> browser to point at
> > proxies to which one wouldn't be willing to send a Digest 
> response. AS a
> > result, one could almost consider this an implementation 
> issue: clients that
> > want to pre-authentication to all proxies should just do so.
> 
> The problem with considering all proxies in the same 
> protection space is
> that the browser can then only usefully store a single set of 
> credentials
> (if you get a 407 from a different proxy do the new 
> credentials from the
> user replace the current credentials? Or should the new 
> credentials only
> apply to the new proxy? Or the old credentials only to the 
> old proxy?).
> And if you only distinguish by realm then you're making the 
> realm a global
> namespace - the realm will have to be unique on all proxies 
> which might
> take different auth info (which is doable inside a 
> corporation, I suppose,
> but not on a larger scale). So it's not a question of trust, but a
> question being able to (usefully) store multiple credentials 
> for multiple
> proxies.

I don't know of any scenario where I'd want to point my browser at multiple
proxies that aren't in the same protection domain. I don't know how to even
configure any browser to do that. Even so, if need be, realm name space can
be allocated from the DNS name space and hence be globally unique.

Paul
Received on Friday, 2 October 1998 07:06:21 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:24 EDT