- From: Joe Orton <joe@manyfish.co.uk>
- Date: Wed, 5 Mar 2003 21:48:24 +0000
- To: ietf-http-wg@w3.org, ietf-sasl@imc.org
Hi, some review on the new version of this draft: The 1xx status-codes are reserved for "interim" HTTP responses, but the draft is now using 102 for a final response here, which won't work (or at least, isn't compatible with HTTP/1.1). The -05 draft had this right, I think: just iterate through several resends of the request with 401/407 challenge responses each time. The "102-continue" expectation is hence redundant: it's no different from 100-continue, which is designed for the same purpose. Why was the extra round-trip for a 235/236 response added? You can't give a "dummy" 2xx response just to confirm that authentication was successful. It's implicit that auth didn't fail if the response was not 401/407. The new 432 code seems to more for a server configuration error, so maybe 5xx is more appropriate? Existing concerns not addressed: Draft is confused about whether HTTP auth is per-request or per-connection. Restrictions on not mixing auth sessions on a single connection etc should be dropped. Whether or not the server requires auth for an OPTIONS request is not up to the authentication protocol. The draft doesn't actually make any requirements on how the server responds to an OPTIONS request, so it's pointless as as well as misguided :) 406 is already defined by RFC2616, you can't overload this really. The CONNECT-to-port-80/SASL-security-layer-negotiation bits aren't compatible with HTTP, and Just Won't Work with deployed HTTP proxies, most of which don't even grok HTTP/1.1 properly. Regards, joe
Received on Wednesday, 5 March 2003 16:48:01 UTC