W3C home > Mailing lists > Public > public-qa-dev@w3.org > January 2007

Re: Markup Validator can not proxy digest auth?

From: Nick Kew <nick@webthing.com>
Date: Mon, 22 Jan 2007 14:33:54 +0000
To: olivier Thereaux <ot@w3.org>
Cc: QA Dev <public-qa-dev@w3.org>, w3t-sys Team <w3t-sys@w3.org>
Message-ID: <20070122143354.4792e844@grimnir>

On Mon, 22 Jan 2007 13:20:52 +0900
olivier Thereaux <ot@w3.org> wrote:

> 
> It took me almost half a day thinking there was a bug in the  
> validator, but as I finally found out, there's no bug: by *design*
> of Digest Auth, the markup validator can not proxy digest
> authentication like it does for basic authentication.

'ang on!  What's the usage scenario for proxying digest auth?

> We then have the choice betweem
> 
> 1) CLIENT <- basic auth -> VALIDATOR <- digest auth -> SERVER
> (which, arguably, is wrong wrong wrong - we'd be putting the SERVER  
> at risk without their consent. Plus, I'm not even sure it's entirely  
> feasible.)

Oh, you mean sending an authentication challenge to $user for a
page that's protected by digest auth.  That requires us to
have a valid username/password.  The only way to collect that
securely would be over https.

> 2) "sorry, we can not validator resources protected by digest  
> authentication. Use the upload feature of the validator, or install
> a local instance of the validator in your network, and give access
> to your resources to that server".

Seems preferable.  Digest authentication is, broadly speaking,
for users who care about their access control.

OTOH, that's not proxying you're talking about, and you *can*
proxy digest auth.  Not that I'd recommend turning v.w.o into
something the nastybots would identify as an open proxy:-)

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
Received on Monday, 22 January 2007 14:34:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 August 2010 18:12:47 GMT