RE: v11-03 COMMENT: 14 Access Authentication from Paul Leach on 1996-05-28 (ietf-http-wg@w3.org from April to June 1996)

From: Paul Leach <paulle@microsoft.com>
Date: Tue, 28 May 1996 15:57:13 -0700
To: "'David W. Morris'" <dwm@shell.portal.com>
Cc: "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <c=US%a=_%p=msft%l=RED-77-MSG-960528225713Z-6617@tide19.microsoft.com>

Indeed it did.  I misread it. My mind is still on vacation, I guess.

Sorry about that.

Paul

>----------
>From: 	David W. Morris[SMTP:dwm@shell.portal.com]
>Sent: 	Tuesday, May 28, 1996 3:51 PM
>To: 	Paul Leach
>Subject: 	RE: v11-03 COMMENT: 14 Access Authentication
>
>
>
>On Tue, 28 May 1996, Paul Leach wrote:
>
>> Unfortunately (for the suggested repair) the section 18.9 statement is
>> the one that is desired. We desire to allow as much caching as is secure
>> and easy to specify when using access authentication, so that people
>> will not be constrained from using it for performance reasons. Hence,
>> not caching the results of an authenticated request is the default (for
>> backwards compatibility), but the "specific exceptions" of 18.9 allow it
>> when the server says its OK.
>> 
>> The best fix is to add "except when allowed as specified in section
>> 18.9" to the paragraph of scetion 14 you cite.
>
>Isn't that what I did?  In any case, JimG had already made a fix which
>I will forward in case you care to give him early feedback.
>
>Dave
>
>> 
>> Paul
>> >----------
>> >From: 	David W. Morris[SMTP:dwm@shell.portal.com]
>> >Sent: 	Tuesday, May 28, 1996 8:16 AM
>> >To: 	http working group
>> >Subject: 	v11-03 COMMENT: 14 Access Authentication
>> >
>> >
>> >There seems to be a conflict between:
>> >
>> >  Proxies MUST be completely transparent regarding user agent
>> >  authentication. That is, they MUST forward the WWW-Authenticate and
>> >  Authorization headers untouched, and MUST NOT cache the response to a
>> >  request containing Authorization.
>> >
>> >(approximately 71 lines from the heading in draft -03) and section 
>> >"18.9 Authorization":
>> >
>> >  When a shared cache (see section 16.6) receives a request containing
>> >an
>> >  Authorization field, it MUST NOT return the corresponding response as
>> >a
>> >  reply to any other request, unless one of the following specific
>> >  exceptions holds: [...]
>> >
>> >To resolve the conflict, I would propose the paragraph in section 14 be
>> >changed to read:
>> >
>> >  Proxies MUST be completely transparent regarding user agent
>> >  authentication. That is, they MUST forward the WWW-Authenticate and
>> >  Authorization headers untouched, and MUST NOT use a cached response
>> >  to a request containing Authorization to satisfy a new request except
>> >  as specified in section 18.9.
>> >
>> >Dave Morris
>> >
>> >
>> 
>

Received on Tuesday, 28 May 1996 18:24:52 UTC