Not to argue a particular position WRT #177, but using NTLM is probably a bad example, precisely because it does connection authentication -- thereby breaking HTTP's assumption of statelessness. Cheers, On 07/07/2009, at 5:35 PM, Robert Collins wrote: > On Tue, 2009-07-07 at 17:15 +1000, Mark Nottingham wrote: >> [ this was raised anonymously ] >> >> p7 defers to RFC2617 for the definition of challenge. >> >> RFC 2617, section 1.2 says: >> >> challenge = auth-scheme 1*SP 1#auth-param ... The authentication >> parameter realm is defined for all authentication schemes: >> >> realm = "realm" "=" realm-value realm-value = quoted-string >> >> The realm directive (case-insensitive) is required for all >> authentication schemes that issue a challenge. > > With you so far. > >> The interpretation being that challenges (which is what www- >> authenticate is defined as) MUST contain at least one parameter and >> that parameter MUST be a realm. > > Got that too. > >> Is it truly necessary for all authentication schemes to include a >> 'realm' paramter? If so, it should be documented (e.g., in the >> section >> about extension authentication schemes). > > I'd have to check, but I'm fairly sure that NTLM doesn't provide a > realm > in its challenges. I'm also fairly certain, because that scheme does > connection authentication, not message authentication, that the > intended > use - partitioning a single site - doesn't even make sense for that > scheme (nor the Negotiate scheme). > > -Rob -- Mark Nottingham http://www.mnot.net/Received on Tuesday, 7 July 2009 07:42:47 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:07 GMT