- From: Peter J Churchyard <pjc@trusted.com>
- Date: Wed, 24 Jan 1996 10:52:23 -0500 (EST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Hi, I would like to propose that
WWW-Authenticate and Proxy-Authenticate be replace by a single
general authenticate construct.
Both WWW and Proxy authenticate have implicitly defined authentication points,
for WWW it is the origin server and for Proxy it is the first proxy that the
client sends the request through. As noted Section 1.4 there will in general
be multiple intermediaries.
general authenticate has same syntax as WWW with the addition of an
authentication point loc field. This would specify the origin server
for WWW style auths etc. The semantics are that general auth header
lines are passed through except where the authentication point refers
to this server/intermediary. Note there will be as many general
auth headers as there are authentication points in a path.
WWW and Proxy auth are now just special cases of general auth and 1.1 servers
should be able to handle them, general auth would be prefered.
Client Issues.
Clients are now required to present all general auth requests to the user.
Optimizations.
Where the auth protocol needs one-time challenge response behaviour, you may
end up in a shuttle mode where the request is shuttled back and forward
slowly passing down to authentication points nearer and nearer the server.
An optimization is to allow authentication points to piggyback general auth
requests onto normal replies. So after the initial shuttling, subsequent
requests just flow back and forth.
Pete.
--
"Simplicity is the mark of genius"
Received on Wednesday, 24 January 1996 07:54:51 UTC