W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

draft-ietf-httpbis-http2-01, "4.2.3 Authentication"

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 05 Mar 2013 21:36:19 +0100
Message-ID: <51365743.5030409@gmx.de>
To: ietf-http-wg@w3.org
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-http2-01.html#Authentication>:

"There are four options for proxy authentication, Basic, Digest, NTLM 
and Negotiate (SPNEGO). The first two options were defined in RFC2617 
[RFC2617], and are stateless. The second two options were developed by 
Microsoft and specified in RFC4559 [RFC4559], and are stateful; 
otherwise known as multi-round authentication, or connection 
authentication."

As far as I can tell, RFC4559 does not actually define an NTLM auth 
scheme. If it did, we'd need to add it to 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-authscheme-registrations-latest.html>.

(And yes, I know that there's a NTLM scheme used in practice, I just 
don't see it defined by RFC4559).

Later on:

"Unfortunately, the stateful authentication mechanisms were implemented 
and defined in a such a way that directly violates RFC2617 - they do not 
include a "realm" as part of the request. This is problematic in 
HTTP/2.0 because it makes it impossible for a client to disambiguate two 
concurrent server authentication challenges."

If these schemes need HTTP/2.0-specific fixes, these should be defined 
in a separate document, updating RFC4559. Optimally, we can get rid of 
the whole section.

Best regards, Julian
Received on Tuesday, 5 March 2013 20:36:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 March 2013 20:36:52 GMT