W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 1998

RE: v6: don't use Authorization in examples

From: Yaron Goland <yarong@microsoft.com>
Date: Sat, 24 Jan 1998 15:22:47 -0800
Message-ID: <3FF8121C9B6DD111812100805F31FC0D0113C6EA@red-msg-59.dns.microsoft.com>
To: "'Jim Davis'" <jdavis@parc.xerox.com>, w3c-dist-auth@w3.org
Where as

LOCK and UNLOCK use the lock-token header

and

without authentication information an unauthorized principal could perform a
PROPFIND on the lockdiscovery property and obtain a lock token in use by
another principal

and 

the unauthorized principal could then perform actions they are not allowed
to perform

and

the only way to prevent this is to authenticate that the principal is who
they say they are

Therefore

The examples include the use of authentication information in order to make
absolutely clear that digest is MANDATORY and REQUIRED in circumstances such
as LOCK/UNLOCK.

			Yaron


> -----Original Message-----
> From:	Jim Davis [SMTP:jdavis@parc.xerox.com]
> Sent:	Saturday, January 24, 1998 2:04 PM
> To:	w3c-dist-auth@w3.org
> Subject:	v6: don't use Authorization in examples
> 
> I'd like to suggest that the examples not show the Authorization header,
> as
> it is irrelevant to the WebDAV methods, and hence a distraction.  While I
> understand that DAV makes support for Digest mandatory, surely the details
> are orthogonal to WebDAV per se.  If they are not, then I missed
> something,
> and hence language needs to be added to say what and how.
> 
> Putting the Authorization header in requires language explaining "the
> nonce, response, and opaque fields havs not been calculated"
> 
> Why show the Authorization header only in the LOCK and UNLOCK methods, if
> it actually matters?
> 
> This affects 7.12.9, 7.12.10, 7.12.11, 7.13.1
Received on Saturday, 24 January 1998 18:25:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:44 GMT