W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 1998

RE: v6: don't use Authorization in examples

From: Yaron Goland <yarong@microsoft.com>
Date: Sat, 24 Jan 1998 15:22:47 -0800
Message-ID: <3FF8121C9B6DD111812100805F31FC0D0113C6EA@red-msg-59.dns.microsoft.com>
To: "'Jim Davis'" <jdavis@parc.xerox.com>, w3c-dist-auth@w3.org
Where as

LOCK and UNLOCK use the lock-token header


without authentication information an unauthorized principal could perform a
PROPFIND on the lockdiscovery property and obtain a lock token in use by
another principal


the unauthorized principal could then perform actions they are not allowed
to perform


the only way to prevent this is to authenticate that the principal is who
they say they are


The examples include the use of authentication information in order to make
absolutely clear that digest is MANDATORY and REQUIRED in circumstances such


> -----Original Message-----
> From:	Jim Davis [SMTP:jdavis@parc.xerox.com]
> Sent:	Saturday, January 24, 1998 2:04 PM
> To:	w3c-dist-auth@w3.org
> Subject:	v6: don't use Authorization in examples
> I'd like to suggest that the examples not show the Authorization header,
> as
> it is irrelevant to the WebDAV methods, and hence a distraction.  While I
> understand that DAV makes support for Digest mandatory, surely the details
> are orthogonal to WebDAV per se.  If they are not, then I missed
> something,
> and hence language needs to be added to say what and how.
> Putting the Authorization header in requires language explaining "the
> nonce, response, and opaque fields havs not been calculated"
> Why show the Authorization header only in the LOCK and UNLOCK methods, if
> it actually matters?
> This affects 7.12.9, 7.12.10, 7.12.11, 7.13.1
Received on Saturday, 24 January 1998 18:25:16 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:16 UTC