- From: Yaron Goland <yarong@microsoft.com>
- Date: Sat, 24 Jan 1998 15:22:47 -0800
- To: "'Jim Davis'" <jdavis@parc.xerox.com>, w3c-dist-auth@w3.org
Where as LOCK and UNLOCK use the lock-token header and without authentication information an unauthorized principal could perform a PROPFIND on the lockdiscovery property and obtain a lock token in use by another principal and the unauthorized principal could then perform actions they are not allowed to perform and the only way to prevent this is to authenticate that the principal is who they say they are Therefore The examples include the use of authentication information in order to make absolutely clear that digest is MANDATORY and REQUIRED in circumstances such as LOCK/UNLOCK. Yaron > -----Original Message----- > From: Jim Davis [SMTP:jdavis@parc.xerox.com] > Sent: Saturday, January 24, 1998 2:04 PM > To: w3c-dist-auth@w3.org > Subject: v6: don't use Authorization in examples > > I'd like to suggest that the examples not show the Authorization header, > as > it is irrelevant to the WebDAV methods, and hence a distraction. While I > understand that DAV makes support for Digest mandatory, surely the details > are orthogonal to WebDAV per se. If they are not, then I missed > something, > and hence language needs to be added to say what and how. > > Putting the Authorization header in requires language explaining "the > nonce, response, and opaque fields havs not been calculated" > > Why show the Authorization header only in the LOCK and UNLOCK methods, if > it actually matters? > > This affects 7.12.9, 7.12.10, 7.12.11, 7.13.1
Received on Saturday, 24 January 1998 18:25:16 UTC