W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: [#177] Realm required on challenges

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 14 Sep 2010 18:59:02 +0200
Message-ID: <4C8FA9D6.2000905@gmx.de>
To: Robert Collins <robertc@robertcollins.net>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 07.07.2009 12:47, Robert Collins wrote:
> On Tue, 2009-07-07 at 17:42 +1000, Mark Nottingham wrote:
>>
>> Not to argue a particular position WRT #177, but using NTLM is
>> probably a bad example, precisely because it does connection
>> authentication -- thereby breaking HTTP's assumption of statelessness.
>
> Oh it surely is a pain. You don't want to know how ugly making NTLM work
> through squid (to NTLM offering servers on the internet) was/is. Pretty
> hard to imagine HTTP/SMTP w/NTLM too.
>
> That said, it exists, and forcing it to add a empty realm would be
> pointless IMO - let alone probably fraught and likely to break clients.

So maybe we should be pragmatic and say:

- the realm is defined for all authentication protocols
- SHOULD be provided in the challenge
- if not provided, header should be treated as if an empty realm was 
specified

?

Best regards, Julian
Received on Tuesday, 14 September 2010 16:59:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:25 GMT