W3C home > Mailing lists > Public > public-xml-processing-model-comments@w3.org > December 2009

p:http-request: authentication concerns

From: Florent Georges <fgeorges@fgeorges.org>
Date: Wed, 16 Dec 2009 13:15:02 +0100
Message-ID: <ebaca5bf0912160415o6bcc85fag4accc264a1aa3d09@mail.gmail.com>
To: XProc Comments <public-xml-processing-model-comments@w3.org>
  Hi,

  The current draft for p:http-request says:

    If the username attribute is specified, the username,
    password, auth-method, and send-authorization attributes are
    used to handle authentication as per [RFC 2617].

  It seems too restrictive to me, as other authentication methods
than RFC 2617 can be used.  The text later says:

    The interpretation of auth-method values on c:request other
    than “Basic” or “Digest” is implementation-defined.

but it is not clear IMHO whether the implementation-defined
behaviour must be kept within the scope of RFC 2617.  I guess
something like the following would be more clear:

    If the username attribute is specified, the username,
    password, auth-method, and send-authorization attributes are
    used to handle authentication, depending on the chosen
    authentication method.

    [...]

    If the authentication method is either "basic" or "digest",
    authentication is handled as per [RFC 2617].

  Furthermore, it is not said that the value of auth-method is
case-insensitive (which I guess is the intention).

  Last but not least, shouldn't we reserve the method "token" for
the standardization-in-progress "HTTP Authentication: Token
Access Authentication", the IETF standardization of the popular
(and couting) OAuth method:

http://xml.coverpages.org/draft-hammer-http-token-auth-00.txt

  Regards,

-- 
Florent Georges
http://www.fgeorges.org/
Received on Wednesday, 16 December 2009 12:15:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 December 2009 12:15:35 GMT