Re: Proxy authentication from John Franks on 1996-04-21 (ietf-http-wg@w3.org from April to June 1996)

From: John Franks <john@math.nwu.edu>
Date: Sun, 21 Apr 1996 10:49:31 -0500 (CDT)
To: Mez <zurko@osf.org>
Cc: "Roy T. Fielding" <fielding@avron.ICS.UCI.EDU>, Mary Ellen Zurko <zurko@osf.org>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.91.960421104005.27619B-100000@hopf.math.nwu.edu>

On Sat, 20 Apr 1996, Mez wrote:

> Thanks Roy. I'm glad that the DAA spec is wrong. If proxy authentication
> information is not forced to be stripped, then I believe we can support
> our architecture. I'm sorry I didn't respond to that mail when it went by.
> We clearly disagree about the security needs of the second proxy. You state
> there is no way that it needs to authenticate the UA. The scenario in my
> last mail message to the WG indicates that it does. But as long as the 
> protocol supports it, we can disagree.

I have modified the digest access authentication document so that it
refers to the HTTP/1.1 specification rather than repeating what is in
that specification.  This is what it should have done in the first
place.

This means that the digest authentication document no longer makes any
reference to proxies passing on Proxy-Auth* headers, but instead
refers to the HTTP/1.1 specification.

A diff showing the changes is attached below.  The old version is first
and the new version follows it.

John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu


***************
*** 557,569 ****
  2.5 Proxy-Authentication and Proxy-Authorization
  
    The digest authentication scheme may also be used for authenticating
!   users to proxies or proxies to end servers.  Unlike the WWW-
!   Authenticate, and Authorization headers, the proxy versions, Proxy-
!   Authenticate and Proxy-Authorization, apply only to the current
!   connection and must not be passed upstream or downstream.  The
!   transactions for proxy authentication are very similar to those
!   already described.  Upon receiving a request which requires
!   authentication, the proxy/server must issue the "HTTP/1.1 401
    Unauthorized" header followed by a "Proxy-Authenticate" header of the
    form
  
--- 559,572 ----
  2.5 Proxy-Authentication and Proxy-Authorization
  
    The digest authentication scheme may also be used for authenticating
!   users to proxies, proxies to proxies, or proxies to end servers by use
!   of the Proxy-Authenticate and Proxy-Authorization headers. These headers
!   are instances of the general Proxy-Authenticate and Proxy-Authorization
!   headers specified in sections 10.30 and 10.31 of the HTTP/1.1
!   specification [2] and their behavior is subject to restrictions
!   described there.  The transactions for proxy authentication are very
!   similar to those already described.  Upon receiving a request which
!   requires authentication, the proxy/server must issue the "HTTP/1.1 401
    Unauthorized" header followed by a "Proxy-Authenticate" header of the
    form

Received on Sunday, 21 April 1996 08:54:35 UTC