RE: v6: don't use Authorization in examples

Well, actually, I think some of the use of Digest authentication in 
examples should stay in the spec.  Examples have a strong normative 
influence on implementations, and since we are requiring support of Digest 
authentication, it should be used in some of the examples.  Furthermore, by 
using Digest in some of our examples, it demonstrates that Digest 
authentication isn't just window dressing in the Security Considerations 
section.

However, the point is well taken that other forms of authentication are 
very likely to develop over the lifetime of the WebDAV protocol, such as 
those based on biometric information (e.g., lost cost fingerprinting, 
eventually ~$10/device in volume, at: 
http://www.whovision.com/info_fr.html), or in an underlying protocol, and 
hence not all examples should use Digest authentication for their 
authentication.

So, my proposal is to remove the Authorization header from the examples in 
the following sections:

5.7.1 (Write Lock Token), 7.11.4 (MOVE collection).

These sections should have a brief note which states,

"In this example, user agent authentication has previously occurred via a 
mechanism outside the scope of the HTTP protocol, in an underlying 
transport layer.

However, I feel we should keep the Digest Authorization headers in the LOCK 
and UNLOCK examples of Sections 7.12.9, 7.12.10, 7.12.11, and 7.13.1 to 
drive home the point that these methods require authentication to have any 
meaning.

> > I believe that the details of digest authentication are being
> > tweaked (yes, even at the last minute) so that it's risky
> > to include examples unless you're prepared to update them.

Since WebDAV is using RFC 2069 as its reference for Digest authentication, 
and the Draft Standard version of Digest auth. is not yet complete (or even 
in working group last call), for the time being the Digest examples do not 
need to be synched with these changes.

- Jim

Received on Monday, 26 January 1998 15:17:30 UTC