W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

RE: Interop issue: how can clients force authentication?

From: Lisa Dusseault <lisa@xythos.com>
Date: Tue, 17 Sep 2002 23:14:29 -0700
To: "'Clemm, Geoff'" <gclemm@rational.com>, "'Webdav WG'" <w3c-dist-auth@w3c.org>
Message-ID: <00e801c25eda$a64052b0$b701a8c0@xythoslap>

 
> Actually, I'd suggest a simple logical contradition, i.e.:
> 
> If: ("A" Not "A")
> 
...
> 
> etag support isn't required, and locking support isn't required,
> but support for the If header is required.

I'm not so sure a server will implement the If header if it doesn't
implement locking.  I'd agree it's required, but it may not be there.
And there's certainly no requirement now that servers do authentication
checks when they do If checks.  That's not required by RFC2518 -- e.g.
if the If test fails because it's logically impossible, then why bother
authenticating?

This seems like trying to fit a round peg in a square hole.

> 
> So I suggest we check whether any server which does the If check
> before it does an authentication check.  It certainly shouldn't,
> since the success or failure of the If check tells you something
> about the resource which you probably shouldn't know if you are
> not authenticated.
> 
> I would have no objection to adding a statement to 2518bis that
> states that a server SHOULD do authentication checks before any
> If checks.
> 
> Cheers,
> Geoff
Received on Wednesday, 18 September 2002 02:16:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT