- From: Mez <zurko@osf.org>
- Date: Sat, 20 Apr 1996 08:36:40 -0400
- To: "Roy T. Fielding" <fielding@avron.ICS.UCI.EDU>, Mary Ellen Zurko <zurko@osf.org>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Thanks Roy. I'm glad that the DAA spec is wrong. If proxy authentication
information is not forced to be stripped, then I believe we can support
our architecture. I'm sorry I didn't respond to that mail when it went by.
We clearly disagree about the security needs of the second proxy. You state
there is no way that it needs to authenticate the UA. The scenario in my
last mail message to the WG indicates that it does. But as long as the
protocol supports it, we can disagree.
Mez
At 05:40 PM 4/19/96 -0700, Roy T. Fielding wrote:
>> Proxy authentication, if I read it right, does not work for architectures
>> with more than one proxy between the browser and server, each with their
>> own security needs.
>
>That is not accurate and was addressed on the list a while back:
>
> <http://www.ics.uci.edu/pub/ietf/http/hypermail/1996q1/0365.html>
>
>> Section 2.5 of the DAA spec says:
>>
>> " the proxy versions, Proxy-
>> Authenticate and Proxy-Authorization, apply only to the current
>> connection and must not be passed upstream or downstream. "
>
>That part of the Digest spec is wrong. The decision of whether or not
>that information is passed along is made by the Proxy. Each proxy
>along the line may forward or interpret or rewrite the proxy-AA header fields.
>
>
> ...Roy T. Fielding
> Department of Information & Computer Science (fielding@ics.uci.edu)
> University of California, Irvine, CA 92717-3425 fax:+1(714)824-4056
> http://www.ics.uci.edu/~fielding/
>
>
>
Received on Saturday, 20 April 1996 05:39:25 UTC