W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Reuse of credentials per realm, was: SECDIR review of draft-ietf-httpbis-p7-auth-24

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 30 Oct 2013 17:25:07 +0100
Message-ID: <527132E3.3000001@gmx.de>
To: Stephen Kent <kent@bbn.com>, secdir <secdir@ietf.org>, fielding@gbiv.com, mnot@pobox.com, Barry Leiba <barryleiba@computer.org>, Pete Resnick <presnick@qti.qualcomm.com>, "Mankin, Allison" <amankin@verisign.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2013-10-29 20:35, Stephen Kent wrote:
> ...
> In Section 2.2 the text says:
>
> The protection space determines the domain over which credentials can
>
> be automatically applied.If a prior request has been authorized,
>
> the user agent MAY reuse the same credentials for all other requests
>
> within that protection space for a period of time determined by the
>
> authentication scheme, parameters, and/or user preference.
>
> Iím not clear how user preferences fit into this process. It would seem
> that the server would decide whether a prior authorization is valid for
> later requests, not a user.
> ...

Of course it's up to the server to accept or reject it. The text you 
cite is about the user agent deciding whether it can try to use the 
credentials.

Does this require a clarification?

Best regards, Julian
Received on Wednesday, 30 October 2013 16:25:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC