W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2003

Re: I-D ACTION:draft-nystrom-http-sasl-06.txt

From: Joe Orton <joe@manyfish.co.uk>
Date: Wed, 5 Mar 2003 21:48:24 +0000
To: ietf-http-wg@w3.org, ietf-sasl@imc.org
Message-ID: <20030305214824.GD3505@manyfish.co.uk>

Hi, some review on the new version of this draft:

The 1xx status-codes are reserved for "interim" HTTP responses, but the
draft is now using 102 for a final response here, which won't work (or
at least, isn't compatible with HTTP/1.1). The -05 draft had this right,
I think: just iterate through several resends of the request with
401/407 challenge responses each time.

The "102-continue" expectation is hence redundant: it's no different
from 100-continue, which is designed for the same purpose.

Why was the extra round-trip for a 235/236 response added? You can't
give a "dummy" 2xx response just to confirm that authentication was
successful. It's implicit that auth didn't fail if the response was not
401/407.

The new 432 code seems to more for a server configuration error, so
maybe 5xx is more appropriate?

Existing concerns not addressed:

Draft is confused about whether HTTP auth is per-request or
per-connection.  Restrictions on not mixing auth sessions on a single
connection etc should be dropped.

Whether or not the server requires auth for an OPTIONS request is not up
to the authentication protocol.  The draft doesn't actually make any
requirements on how the server responds to an OPTIONS request, so it's
pointless as as well as misguided :)

406 is already defined by RFC2616, you can't overload this really.

The CONNECT-to-port-80/SASL-security-layer-negotiation bits aren't
compatible with HTTP, and Just Won't Work with deployed HTTP proxies,
most of which don't even grok HTTP/1.1 properly.

Regards,

joe
Received on Wednesday, 5 March 2003 16:48:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:22 GMT