FW: v11-03 COMMENT: 14 Access Authentication from Paul Leach on 1996-05-28 (ietf-http-wg@w3.org from April to June 1996)

From: Paul Leach <paulle@microsoft.com>
Date: Tue, 28 May 1996 14:49:16 -0700
To: "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <c=US%a=_%p=msft%l=RED-77-MSG-960528214916Z-5944@tide19.microsoft.com>

Meant to include whole WG in reply...

>----------
>From: 	Paul Leach
>Sent: 	Tuesday, May 28, 1996 2:50 PM
>To: 	'David W. Morris'
>Subject: 	RE: v11-03 COMMENT: 14 Access Authentication
>
>Unfortunately (for the suggested repair) the section 18.9 statement is
>the one that is desired. We desire to allow as much caching as is
>secure and easy to specify when using access authentication, so that
>people will not be constrained from using it for performance reasons.
>Hence, not caching the results of an authenticated request is the
>default (for backwards compatibility), but the "specific exceptions" of
>18.9 allow it when the server says its OK.
>
>The best fix is to add "except when allowed as specified in section
>18.9" to the paragraph of scetion 14 you cite.
>
>Paul
>----------
>From: 	David W. Morris[SMTP:dwm@shell.portal.com]
>Sent: 	Tuesday, May 28, 1996 8:16 AM
>To: 	http working group
>Subject: 	v11-03 COMMENT: 14 Access Authentication
>
>
>There seems to be a conflict between:
>
>  Proxies MUST be completely transparent regarding user agent
>  authentication. That is, they MUST forward the WWW-Authenticate and
>  Authorization headers untouched, and MUST NOT cache the response to a
>  request containing Authorization.
>
>(approximately 71 lines from the heading in draft -03) and section 
>"18.9 Authorization":
>
>  When a shared cache (see section 16.6) receives a request containing
>an
>  Authorization field, it MUST NOT return the corresponding response as
>a
>  reply to any other request, unless one of the following specific
>  exceptions holds: [...]
>
>To resolve the conflict, I would propose the paragraph in section 14 be
>changed to read:
>
>  Proxies MUST be completely transparent regarding user agent
>  authentication. That is, they MUST forward the WWW-Authenticate and
>  Authorization headers untouched, and MUST NOT use a cached response
>  to a request containing Authorization to satisfy a new request except
>  as specified in section 18.9.
>
>Dave Morris
>
>
>

Received on Tuesday, 28 May 1996 15:42:08 UTC