- From: Jim Whitehead <ejw@soe.ucsc.edu>
- Date: Wed, 4 Jan 2006 14:05:00 -0800
- To: webdav WG <w3c-dist-auth@w3.org>
- Message-Id: <85E49318-4559-415D-9FB2-2D452D17CFAC@cs.ucsc.edu>
Forwarding to the list. - Jim Begin forwarded message: > From: Joe Orton <jorton@redhat.com> > Date: January 4, 2006 1:58:46 PM PST > To: w3c-dist-auth@w3.org > Subject: [Moderator Action] Appendix D comments > > > > Lisa filed an Apache bug concerning the handling of an unsolicited > Authorization header. I don't agree with the conclusion that 2617 > says > the server SHOULD do anything at all in that case. > > It is perfectly valid for the server to "accept" and ignore an > Authorization header if it has no authentication requirements for the > resource. There is no requirement that the server should try and > invent > some bogus WWW-Authorization challenge to give in that case. > > I don't think any of the guidance given in Appendix D of the -10 draft > is particularly good. The title itself is pretty bad :) Clients > should > not "desire to authenticate" in the first place. > > The only guidance to implementors that is really relevant to the > problem > at hand is that servers and proxies should implement 100-continue > support properly, so that clients can then rely upon and use that > feature to avoid wasting bandwidth (and time) when required to > authenticate. > > The guaranteed-to-fail-If-Match trick is a nice hack but given that > If-Match support in deployed servers is probably worse than 100- > continue > support I don't see why 2518bis should encourage use of a hack > above use > of a well-defined HTTP/1.1 protocol feature. > > Regards, > > joe
Received on Wednesday, 4 January 2006 22:05:11 UTC