W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 18] no record of consensus for force-authenticate

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 31 Oct 2005 19:14:47 +0100
Message-ID: <43665F17.2080208@gmx.de>
To: Jim Whitehead <ejw@soe.ucsc.edu>
CC: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>, webdav <w3c-dist-auth@w3.org>

Jim Whitehead wrote:
> There are two issues with Expect 100-continue:
> * It is only permitted for methods with request bodies -- it would be 
> far better for a client to have a single mechanism that worked for all 
> methods.

Well, it only has an *effect* for messages with request bodies.

> * The server's behavior after sending a final status code (i.e., a 4xx) 
> is not great -- either read the entire request body and send to 
> /dev/null, or drop the TCP connection. It would be far better if the 
> client never sent the request body in the first place.

My understanding was that the client will never send the body it doesn't 
get the 100 Continue.

> * From reading the HTTP specification, it's really unclear to me how 
> Expect 100-continue works with proxy authentication. It almost seems as 
> if this mechanism allows you to bypass proxy authentication.
> However, I still think the right action here is:
> * Create a new appendix in 2518bis
> * In this appendix, document the problem
> * Describe the known approaches for addressing the problem (If approach, 
> 100-continue approach) and their issues
> * Create a separate draft focusing just on the Force-Authenticate 
> approach, and discuss on HTTP-WG list.
> Julian seems to think this is an OK approach. Geoff seems to think this 
> is OK. Jim Luther agrees with the separate draft part.
> Dang if that doesn't seem like something approaching rough consensus to me.

Sounds good.

Best regards, Julian
Received on Monday, 31 October 2005 18:15:48 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:33 UTC