W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: [#177] Realm required on challenges

From: Robert Collins <robertc@robertcollins.net>
Date: Tue, 07 Jul 2009 07:36:43 +0000
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1246952155.6472.24.camel@lifeless-64>
On Tue, 2009-07-07 at 17:15 +1000, Mark Nottingham wrote:
> [ this was raised anonymously ]
> 
> p7 defers to RFC2617 for the definition of challenge.
> 
> RFC 2617, section 1.2 says:
> 
> challenge = auth-scheme 1*SP 1#auth-param ... The authentication  
> parameter realm is defined for all authentication schemes:
> 
> realm = "realm" "=" realm-value realm-value = quoted-string
> 
> The realm directive (case-insensitive) is required for all  
> authentication schemes that issue a challenge.

With you so far.

> The interpretation being that challenges (which is what www-  
> authenticate is defined as) MUST contain at least one parameter and  
> that parameter MUST be a realm.

Got that too.

> Is it truly necessary for all authentication schemes to include a  
> 'realm' paramter? If so, it should be documented (e.g., in the section  
> about extension authentication schemes).

I'd have to check, but I'm fairly sure that NTLM doesn't provide a realm
in its challenges. I'm also fairly certain, because that scheme does
connection authentication, not message authentication, that the intended
use - partitioning a single site - doesn't even make sense for that
scheme (nor the Negotiate scheme).

-Rob

Received on Tuesday, 7 July 2009 08:41:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:07 GMT