W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 18] no record of consensus for force-authenticate

From: Cullen Jennings <fluffy@cisco.com>
Date: Mon, 17 Oct 2005 12:01:50 -0700
To: Julian Reschke <julian.reschke@gmx.de>, WebDav <w3c-dist-auth@w3.org>
Message-ID: <BF79432E.55A6F%fluffy@cisco.com>


Out of curiosity, is this something most servers do or something that most
people have not implemented?


On 10/15/05 12:35 PM, "Julian Reschke" <julian.reschke@gmx.de> wrote:

> Proposed resolution for
> <http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=18>:
> 
> History:
> 
> The "force-authenticate" request header was initially proposed by Ilya
> Kirnos, and we had a discussion about this back three years ago
> <http://lists.w3.org/Archives/Public/w3c-dist-auth/2002JulSep/thread.html#291>
> ). 
> As far as I can tell, the consensus back then was not to define a new
> header, but to make use of an "If" request header that was known to
> alway evaluate to false instead.
> 
> In January 2003, the WG had an interim meeting hosted by Apple, during
> which the problem was discussed again. Unfortunately, there doesn't seem
> to be any public record of what was discussed on the second day (which
> AFAIR was the day we discussed this topic). (Minutes for day one in
> <http://lists.w3.org/Archives/Public/w3c-dist-auth/2003JanMar/0075.html>).
> 
> The "Force-Authentication" header was then introduced in draft 03
> (<http://greenbytes.de/tech/webdav/draft-ietf-webdav-rfc2518bis-03.txt>),
> but I can't find any record of a consensus reached on the mailing list.
> 
> I therefore propose to remove the header from the spec, encouraging
> those who feel that this feature is needed to solve a real-world problem
> to restart the discussion on the mailing list (containing a precise
> problem statement, and an analysis why the current spec isn't sufficient
> in this regard).
> 
> In addition to removing section 9.4, further changes would be:
> 
> Section 17., para. 11:
> OLD:
> 
>     A resource can explicitly advertise its support for the revisions to
>     RFC2518 made in this document.  In particular, this allows clients to
>     use the Force-Authentication header on requests.  Class 1 must be
>     supported as well.  Class 2 MAY be supported.
> 
> NEW:
> 
>     A resource can explicitly advertise its support for the revisions to
>     RFC2518 made in this document.  Class 1 must be supported as well.
>     Class 2 MAY be supported.
> 
> 
> Section 17., para. 13:
> OLD:
> 
>     o  the Force-Authentication header.
> 
>     o  Any behavior that it supports, in the manner specified in this
>        document, rather than in the manner specified in RFC2518, for all
>        client requests.  A server MAY use an older behavior for specific
>        clients that are discovered to have interoperability problems with
>        the requirements of this specification, but MUST NOT use an older
>        behavior indiscriminately.
> 
> NEW:
> 
>     o  Any behavior that it supports, in the manner specified in this
>        document, rather than in the manner specified in RFC2518, for all
>        client requests.  A server MAY use an older behavior for specific
>        clients that are discovered to have interoperability problems with
>        the requirements of this specification, but MUST NOT use an older
>        behavior indiscriminately.
> 
> 
> Section 21., para. 8:
> OLD:
> 
>     Valuable contributions to RFC2518 bis came from some already named.
>     New contributors must also be gratefully acknowledged.  Julian
>     Reschke, Geoff Clemm, Joel Soderberg, and Dan Brotsky hashed out
>     specific text on the list or in meetings.  Ilya Kirnos supplied text
>     for Force-Authentication header.  Joe Hildebrand contributed as co-
>     chair.
> 
> NEW:
> 
>     Valuable contributions to RFC2518 bis came from some already named.
>     New contributors must also be gratefully acknowledged.  Julian
>     Reschke, Geoff Clemm, Joel Soderberg, and Dan Brotsky hashed out
>     specific text on the list or in meetings.  Joe Hildebrand contributed
>     as co-chair.
> 
> 
> Best regards, Julian
> --- draft-ietf-webdav-rfc2518bis-07.xml 2005-10-15 19:19:46.000000000 +0100
> +++ rfc2518bis-08-bug18.xml 2005-10-15 20:29:23.000000000 +0100
> @@ -3112,23 +3112,7 @@
>     to the remote server using PUT/PROPPATCH or another mechanism.
>      </t>
>    </section>
> -  
> -  <section title="Force-Authentication Header">
> -    <t>
> -   Force-Authentication = "Force-Authentication" ":" Method
> -    </t>
> -    <t>
> -   The Force-Authentication request header is used with the OPTIONS method to
> -   specify that the client wants to be challenged for authentication
> -   credentials to the resource identified by the Request-URI.  If
> -   present on a request to a WebDAV-compliant resource, the server MUST
> -   respond with either 401 (Unauthorized) or 501 (Not Implemented)
> -   status code. The Method value is used for the client to indicate
> -   what method it intends to use first on the resource identified in
> -   the Request-URI.
> -    </t>
> -  </section>
> -  
> +    
>    <section title="If Header">
>      <figure>
>        <artwork>
> @@ -4832,15 +4816,13 @@
>    <section title="Class 'bis'">
>      <t>
>     A resource can explicitly advertise its support for the revisions to
> -   RFC2518 made in this document. In particular, this allows clients to
> -   use the Force-Authentication header on requests.  Class 1 must be
> +   RFC2518 made in this document.  Class 1 must be
>     supported as well. Class 2 MAY be supported.
>      </t>
>      <t>
>     A resource that supports bis MUST support:
>      </t>
>      <t><list style="symbols">
> -      <t>the Force-Authentication header.  </t>
>        <t>Any behavior that it supports, in the manner specified in this
>     document, rather than in the manner specified in RFC2518, for all
>     client requests.  A server MAY use an older behavior for specific
> @@ -5200,8 +5182,7 @@
>     Valuable contributions to RFC2518 bis came from some already named.
>     New contributors must also be gratefully acknowledged. Julian
>     Reschke, Geoff Clemm, Joel Soderberg, and Dan Brotsky hashed out
> -   specific text on the list or in meetings. Ilya Kirnos supplied text
> -   for Force-Authentication header.  Joe Hildebrand contributed as
> +   specific text on the list or in meetings.  Joe Hildebrand contributed as
>     co-chair.
>    </t>
>  </section>
Received on Monday, 17 October 2005 21:25:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:10 GMT