RE: Straw-man charter for http-bis -- call for errata/clarifications to 2617 from Henrik Nordstrom on 2007-05-31 (ietf-http-wg@w3.org from April to June 2007)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Fri, 01 Jun 2007 00:04:09 +0200
To: Eric Lawrence <ericlaw@exchange.microsoft.com>
Cc: Cyrus Daboo <cyrus@daboo.name>, Robert Sayre <sayrer@gmail.com>, Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, Eliot Lear <lear@cisco.com>, Julian Reschke <julian.reschke@gmx.de>, Paul Hoffman <phoffman@imc.org>, Apps Discuss <discuss@apps.ietf.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <1180649049.5423.31.camel@henriknordstrom.net>

tor 2007-05-31 klockan 14:28 -0700 skrev Eric Lawrence:

> You're right, but Henrik's point still stands.  The existing
> implementation of Negotiate/NTLM is significantly different than the
> conventional HTTP authentication "per-message" model.  It may be
> difficult (or undesirable) to roll this into RFC2616.

I would undesirable. It requires a far too big change in the transport &
message model of HTTP, and in it's current form has some serious (but
partially documented) security implications when using proxies.

HTTP is explicitly designed as a transport-independent message oriented
protocol where each message is self-contained and not dependent on being
sent on a specific transport connection.

RFC4559 is completely connection oriented, with messages far from
self-contained and very dependent of which transport connection is being
used.

Regards
Henrik

Received on Thursday, 31 May 2007 22:04:25 UTC