W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2004

Another issue on SASL draft

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Mon, 3 May 2004 11:51:29 -0700
Message-Id: <E399BA96-9D32-11D8-AF45-000A95B2BB72@osafoundation.org>
Cc: Webdav WG <w3c-dist-auth@w3c.org>
To: Alexey Melnikov <Alexey.Melnikov@isode.com>, Magnus Nystrom <magnus@rsasecurity.com>

I just noticed something else I don't understand in the SASL draft.  
Can you clarify?

Example 6, in section 4.7.6, shows the client attempting to 
authenticate but without
using the CONNECT request.  So far so good -- the client doesn't want a 
SASL layer,
the client simply wants to authenticate.  The last GET request in the 
example shows
no WWW-Authenticate header, thus no authorization information -- yet 
the server
responds successfully.  Shouldn't every request include the 
header, until the point where the client decides to "log out"?

This problem wouldn't exist if the 235 error was removed and if SASL 
worked like
Digest/Basic -- the 2nd GET request would clearly contain the 
authentication, and
the response would be 200 OK.

Received on Monday, 3 May 2004 15:24:12 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:29 UTC