- From: Norman Walsh <ndw@nwalsh.com>
- Date: Thu, 17 Dec 2009 12:09:46 -0500
- To: public-xml-processing-model-comments@w3.org
- Message-ID: <m26385wmqt.fsf@nwalsh.com>
Florent Georges <fgeorges@fgeorges.org> writes:
[...]
> It seems too restrictive to me, as other authentication methods
> than RFC 2617 can be used. The text later says:
>
> The interpretation of auth-method values on c:request other
> than “Basic” or “Digest” is implementation-defined.
>
> but it is not clear IMHO whether the implementation-defined
> behaviour must be kept within the scope of RFC 2617. I guess
> something like the following would be more clear:
>
> If the username attribute is specified, the username,
> password, auth-method, and send-authorization attributes are
> used to handle authentication, depending on the chosen
> authentication method.
>
> [...]
>
> If the authentication method is either "basic" or "digest",
> authentication is handled as per [RFC 2617].
At the 17 Dec 2009 telcon, the WG agreed substantially with your
request and plans to make the changes you suggest.
> Furthermore, it is not said that the value of auth-method is
> case-insensitive (which I guess is the intention).
As far as I can tell, the values specified by RFC2617 *are*
case-sensitive.
> Last but not least, shouldn't we reserve the method "token" for
> the standardization-in-progress "HTTP Authentication: Token
> Access Authentication", the IETF standardization of the popular
> (and couting) OAuth method:
>
> http://xml.coverpages.org/draft-hammer-http-token-auth-00.txt
Not before that spec is finished.
Please let us know if you're unsatisfied by these resolutions.
Be seeing you,
norm
--
Norman Walsh <ndw@nwalsh.com> | Not to be absolutely certain is, I
http://nwalsh.com/ | think, one of the essential things in
| rationality.--Bertrand Russell
Received on Thursday, 17 December 2009 17:10:23 UTC