- From: Owen Rees <rtor@ansa.co.uk>
- Date: Sat, 25 Mar 1995 00:02:17 +0000
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
zurko@osf.org (Mary Ellen Zurko) writes: > > The credentials are authorization information; "This request is from <username> > > who claims the right to access <requested-uri> in <realm>" > > I'm not sure I see what sense you consider this authorization > information. As I pointed out, even clear authentication information > is an input to authorization decisions, so it's not incorrect to call > even the digest "information for the authorization decision". It does, > however, confuse people to call either the digest or the credentials > (in this case) simply "authorization information". I think I should have said "The credentials contain authorization information" (rather than "are"). draft-ietf-http-v10-spec-00 says "credentials containing the authentication information" (in 5.4.5 and 10), and I would argue that in both the Basic and Digest schemes, the credentials contain information used both in authentication and in authorization, but not all of the information used in either process. Since the credentials contain information used for both purposes, it might be better to include the syntax rule for the Authorization header in digest-aa so that "<credentials>" can be used to replace "Authorization" in various places. I think I was probably reading the capitalised word as an arbitrary token naming the header containg the credentials, without thinking how it would read if the capitalisation were removed or ignored. Regards, Owen Rees <rtor@ansa.co.uk> Information about ANSA is at <URL:http://www.ansa.co.uk/>.
Received on Friday, 24 March 1995 16:25:06 UTC