Re: Proxy authentication from Roy T. Fielding on 1996-04-23 (ietf-http-wg@w3.org from April to June 1996)

From: Roy T. Fielding <fielding@avron.ICS.UCI.EDU>
Date: Tue, 23 Apr 1996 10:00:26 -0700
To: Mary Ellen Zurko <zurko@osf.org>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9604231000.aa08538@paris.ics.uci.edu>

> I was considering whether there would be any problems implementing what we
> needed with proxy authentication in a future version, if the current 
> restrictions are passed. We could authentication the user (agent) to any
> proxy in line before a restricted proxy, but not after, because any
> restricted proxies would throw out proxy-authenticate and proxy-authorization
> headers it didn't understand. While that would work fine for services on
> the user side of, say, a firewall, it would not work for services on the
> service side of a firewall, which we also support. So passing the current
> restrictions would pose problems that we could not overcome in configurations
> involving proxies that support them.

Hmmm, at some point when we have a high-bandwidth connection
(i.e., not e-mail) I'd like to hear an explanation of how you
can authenticate user agents through non-trusted proxies.
As far as HTTP/1.1 goes, we did not intend to support such a
feature because it would be better done within an extensible security
architecture (i.e., that thing Rohit has been working on).

Proxy-Authenticate and Proxy-Authorization are (or should be) defined 
according to the Netscape Proxy implementation.  The current spec is
lacking the wording that I sent in a couple months ago about how the
proxy should forward the field if the credentials do not apply to it.
One problem is that the realm is not sent with the credentials (only
with the challenge), and thus things can still get messed-up if more
than one proxy is demanding credentials on a single request.

> Just who should I be engaging with over this? Roy agrees that the restrictions
> are wrong :-), and John is willing to follow the lead of HTTP 1.1 (though he
> points out some good concerns), and Jim claims he'll make any changes that
> folks agree to. 

I'll update the 1.1 spec, but anything more than Proxy-Authenticate and
Proxy-Authorization will have to wait until a later protocol version.


 ...Roy T. Fielding
    Department of Information & Computer Science    (fielding@ics.uci.edu)
    University of California, Irvine, CA 92717-3425    fax:+1(714)824-4056
    http://www.ics.uci.edu/~fielding/

Received on Tuesday, 23 April 1996 11:24:12 UTC