W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC #349: "strength"

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 1 Jun 2012 10:50:56 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <22C63842-1F80-46BB-8A26-C92DB143917C@mnot.net>
To: James French <jfrench@denirostaff.com>
We're using that to explicitly NOT trigger an interpretation of it as a conformance requirement.

Cheers,


On 01/06/2012, at 2:19 AM, James French wrote:

> On Thu, May 31, 2012 at 5:20 AM, Mark Nottingham <mnot@mnot.net> wrote:
>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/349>
>> 
>> Proposal: change
>> 
>>>    Both the Authorization field value and the Proxy-Authorization field
>>>    value consist of credentials containing the authentication
>>>    information of the client for the realm of the resource being
>>>    requested.  The user agent MUST choose to use one of the challenges
>>>    with the strongest auth-scheme it understands and request credentials
>>>    from the user based upon that challenge.
>> 
>> 
>> to
>> 
>> """
>> Both the Authorization field value and the Proxy-Authorization field value contain the client's credentials for the realm of the resource being requested, based upon a challenge received from the server (possibly at some point in the past). When creating their values, the user agent ought to do so by selecting the challenge with what it considers to be the most secure auth-scheme that it understands, obtaining credentials from the user as appropriate.
> 
> Perhaps this phrase "ought to" should be an all-caps (RFC 2119) SHOULD?

--
Mark Nottingham   http://www.mnot.net/
Received on Friday, 1 June 2012 00:51:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 June 2012 00:51:28 GMT