Re: Markup Validator can not proxy digest auth?

On Mon, 2007-01-22 at 13:20 +0900, olivier Thereaux wrote:
[...]
> Conclusion: bad news, everyone, I think we can't "proxy" digest auth  
> - unless I'm mistaken, and trust me, I'd love to be wrong here.

I concur with the diagnosis; I think you're not wrong.

Lots of security mechanisms don't support delegation.
(that's why we're doing policy-aware web research. 
http://www.policyawareweb.org/ ).


>  I  
> can't recall who made the first implementation  of the auth proxying  
> for the validator. Gerald? Terje? Would you concur?
> 
> 
> We then have the choice betweem
> 
> 1) CLIENT <- basic auth -> VALIDATOR <- digest auth -> SERVER
> (which, arguably, is wrong wrong wrong

yeah.

>  - we'd be putting the SERVER  
> at risk without their consent. Plus, I'm not even sure it's entirely  
> feasible.)
> or
> 2) "sorry, we can not validator resources protected by digest  
> authentication. Use the upload feature of the validator, or install a  
> local instance of the validator in your network, and give access to  
> your resources to that server".

I think I could live with that, but I'm not sure...

> Thoughts? Different diagnosis? Is this a showstopper for switching  
> w3.org servers to digest auth, seeing as it's not only going to break  
> validation, but all sorts of services too (xslt, etc.)?

I wonder if I rely on any of those... perhaps the poor-man's
issue tracker... and annospam.

-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E
office: tel:+1-617-395-0241
mobile: tel:+1-816-616-6576
mobile: mailto:connolly+pager@w3.org

Received on Monday, 22 January 2007 14:31:34 UTC