I just noticed something else I don't understand in the SASL draft. Can you clarify? Example 6, in section 4.7.6, shows the client attempting to authenticate but without using the CONNECT request. So far so good -- the client doesn't want a SASL layer, the client simply wants to authenticate. The last GET request in the example shows no WWW-Authenticate header, thus no authorization information -- yet the server responds successfully. Shouldn't every request include the WWW-Authenticate header, until the point where the client decides to "log out"? This problem wouldn't exist if the 235 error was removed and if SASL worked like Digest/Basic -- the 2nd GET request would clearly contain the authentication, and the response would be 200 OK. LisaReceived on Monday, 3 May 2004 15:24:12 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:06 GMT