W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [#177] Realm required on challenges

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 18 Oct 2010 15:19:04 +1100
Cc: Robert Collins <robertc@robertcollins.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <539FE706-FF67-4C77-BD75-955847EB1588@mnot.net>
To: Julian Reschke <julian.reschke@gmx.de>
It's widely used enough that implementers need to be aware of it, so ignoring it isn't an option. 

We should only special-case it if we're confident that no other such cases do / will exist.

IMHO.


On 23/09/2010, at 2:19 AM, Julian Reschke wrote:

> On 22.09.2010 08:01, Mark Nottingham wrote:
>> 
>> On 15/09/2010, at 2:59 AM, Julian Reschke wrote:
>>> 
>>> So maybe we should be pragmatic and say:
>>> 
>>> - the realm is defined for all authentication protocols
>>> - SHOULD be provided in the challenge
>>> - if not provided, header should be treated as if an empty realm was specified
>> 
>> 
>> +0.5.
>> 
>> I'm not thrilled about it, but unless someone wants to argue that we shouldn't impose realms on all authentication schemes...
>> ...
> 
> It would probably help if we had a agreement on whether we consider Negotiate a proper authentication scheme.
> 
> Do we ignore it, do we accept it, or do we special-case it?
> 
> Best regards, Julian

--
Mark Nottingham   http://www.mnot.net/
Received on Monday, 18 October 2010 04:19:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:29 GMT