W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2006

Fwd: [Moderator Action] Appendix D comments

From: Jim Whitehead <ejw@soe.ucsc.edu>
Date: Wed, 4 Jan 2006 14:05:00 -0800
To: webdav WG <w3c-dist-auth@w3.org>
Message-Id: <85E49318-4559-415D-9FB2-2D452D17CFAC@cs.ucsc.edu>
Forwarding to the list.
- Jim

Begin forwarded message:

> From: Joe Orton <jorton@redhat.com>
> Date: January 4, 2006 1:58:46 PM PST
> To: w3c-dist-auth@w3.org
> Subject: [Moderator Action] Appendix D comments
>
>
>
> Lisa filed an Apache bug concerning the handling of an unsolicited
> Authorization header.  I don't agree with the conclusion that 2617  
> says
> the server SHOULD do anything at all in that case.
>
> It is perfectly valid for the server to "accept" and ignore an
> Authorization header if it has no authentication requirements for the
> resource.  There is no requirement that the server should try and  
> invent
> some bogus WWW-Authorization challenge to give in that case.
>
> I don't think any of the guidance given in Appendix D of the -10 draft
> is particularly good.  The title itself is pretty bad :) Clients  
> should
> not "desire to authenticate" in the first place.
>
> The only guidance to implementors that is really relevant to the  
> problem
> at hand is that servers and proxies should implement 100-continue
> support properly, so that clients can then rely upon and use that
> feature to avoid wasting bandwidth (and time) when required to
> authenticate.
>
> The guaranteed-to-fail-If-Match trick is a nice hack but given that
> If-Match support in deployed servers is probably worse than 100- 
> continue
> support I don't see why 2518bis should encourage use of a hack  
> above use
> of a well-defined HTTP/1.1 protocol feature.
>
> Regards,
>
> joe
Received on Wednesday, 4 January 2006 22:05:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:12 GMT