W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1999

Re: Proxy auth

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Thu, 18 Nov 1999 08:46:41 -0500 (EST)
Message-Id: <199911181346.IAA12054@aleatory.research.bell-labs.com>
To: http-wg@hplb.hpl.hp.com, joshco@Exchange.Microsoft.com
Cc: fielding@kiwi.ICS.UCI.EDU, lawrence@agranat.com
"Josh Cohen (Exchange)" <joshco@Exchange.Microsoft.com> wrote:
  >  Since we're talking about proxies....
  > Im curious to know what others think the right thing
  > according to the intent of the 1.1 spec to do is
  > in this situation:
  > 
  > If you have two chained proxy servers:
  > 
  > client -> proxy1 -> proxy2 -> origin server
  > 
  > If proxy 2 challenges for proxy-authentication (in its realm),
  > should the challenge go back to the client if proxy1 doesnt intend
  > to satisfy the challenge ?
  > 
  > My understanding was that the intent was that this situation was
  > to be covered.  By this I mean a client can auth to a proxy up the chain.
  > The spec is somewhat ambiguous, it says the proxy-auth headers are 
  > hop-by-hop, but then mentions that chained proxy-auth can work.

My understanding has always been that proxy authentication is strictly
hop-by-hop.  So proxy1 should not bump the authentication request up to
the client.  After all, it's proxy1 that has a trust relationship with
proxy2, whereas the client may have no such relationship.

Dave Kristol
Received on Thursday, 18 November 1999 13:49:26 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:34 EDT