- From: Sambasiva Rao <sams@wipinfo.soft.net>
- Date: Thu, 13 Nov 1997 12:12:47 +0500 (GMT+0500)
- To: ng <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Few issues related to Authentication are as following : 1> In the authentication credentials field defined as following credentials = basic-credentials |auth-scheme #auth-param in RFC2068. a> Does this mean the server must produce parse error if the client sends two or more scheme credentials ?( this problem doesn't exist in HTTP1.0 as it support only one scheme) b> If any server provides this additional functionality of parsing(handling) one or more scheme credentials then can that server be said as RFC2068 compliant. 2>If the only one scheme is allowed and if the agent wants to send a request with the authentication scheme credentials before the challenge (unauthorised response)then it really doesn't have much flexibility.A sort of agent side negotiation for the authentication schemes. If agent is allowed to sent multiple schemes the following issues araise :- 1> If an user agent sends 3 schemes and server supports 2 of these schemes for the requested realm then a> what must be the action of server ? Should it validate realm with all the 2 possible schemes or it should take the safest scheme ? 2> Say if the server validates the realm using two or more schemes then if it finds that through one scheme the client is valid and through other it is invalid.Then a>what must be the action of the server? It can always be the server specific but a>what is the safest option ? Regards, Sam.
Received on Wednesday, 12 November 1997 22:48:47 UTC