W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

RE: WGLC #349: "strength"

From: Musatov, Martin - CW <Martin.Musatov@bestbuy.com>
Date: Thu, 31 May 2012 14:41:12 +0000
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Julian Reschke <julian.reschke@gmx.de>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <1A861E6970A91447BBC0BD2021F75320029987BA@SN2PRD0610MB371.namprd06.prod.outlook.com>


-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
Sent: Thursday, May 31, 2012 9:17 AM
To: Julian Reschke
Cc: Mark Nottingham; HTTP Working Group
Subject: Re: WGLC #349: "strength"



On 05/31/2012 03:09 PM, Julian Reschke wrote:
> On 2012-05-31 15:59, Stephen Farrell wrote:
>>
>>
>> On 05/31/2012 01:20 PM, Mark Nottingham wrote:
>>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/349>
>>>
>>> Proposal: change
>>>
>>>>     Both the Authorization field value and the Proxy-Authorization 
>>>> field
>>>>     value consist of credentials containing the authentication
>>>>     information of the client for the realm of the resource being
>>>>     requested.  The user agent MUST choose to use one of the challenges
>>>>     with the strongest auth-scheme it understands and request 
>>>> credentials
>>>>     from the user based upon that challenge.
>>>
>>>
>>> to
>>>
>>> """
What exactly is the significance of the three lines immediately above? What purpose is the blank line after to and before the two sets of quotes?
>>> Both the Authorization field value and the Proxy-Authorization field 
>>> value contain the client's credentials for the realm of the resource 
>>> being requested, based upon a challenge received from the server 
>>> (possibly at some point in the past). When creating their values, 
>>> the user agent ought to do so by selecting the challenge with what 
>>> it considers to be the most secure auth-scheme that it understands, 
>>> obtaining credentials from the user as appropriate.
>>> """
>>
>> Could be a can of worms so feel free to ignore me, but is the term 
>> credentials there correct? Perhaps authenticator would be better? If 
>> we do manage to get better schemes defined then someday not all of 
>> these would allow derivation of an underlying password credential.
> 
> It's the term we currently use throughout.

I said feel free to ignore me, not to feel free to give a
non-answer:-)

I can understand that it might take work to change, and that that might not be worthwhile. But if in fact its not the right term for some of those uses then it might be worth changing to avoid future confusion.

Just saying "its that way now" isn't an answer to the question asked.

Cheers,
S

> 
> Best regards, Julian
> 
> 
> 
Received on Thursday, 31 May 2012 14:41:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 31 May 2012 14:41:59 GMT