W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2004

Another issue on SASL draft

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Mon, 3 May 2004 11:51:29 -0700
Message-Id: <E399BA96-9D32-11D8-AF45-000A95B2BB72@osafoundation.org>
Cc: Webdav WG <w3c-dist-auth@w3c.org>
To: Alexey Melnikov <Alexey.Melnikov@isode.com>, Magnus Nystrom <magnus@rsasecurity.com>


I just noticed something else I don't understand in the SASL draft.  
Can you clarify?

Example 6, in section 4.7.6, shows the client attempting to 
authenticate but without
using the CONNECT request.  So far so good -- the client doesn't want a 
SASL layer,
the client simply wants to authenticate.  The last GET request in the 
example shows
no WWW-Authenticate header, thus no authorization information -- yet 
the server
responds successfully.  Shouldn't every request include the 
WWW-Authenticate
header, until the point where the client decides to "log out"?

This problem wouldn't exist if the 235 error was removed and if SASL 
worked like
Digest/Basic -- the 2nd GET request would clearly contain the 
authentication, and
the response would be 200 OK.

Lisa
Received on Monday, 3 May 2004 15:24:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:06 GMT