Re: [moore@cs.utk.edu: http digest auth + http 1.1?]

Folks,

I'm sorry I raised this question without looking at the implications.

The HTTP document draft-ietf-http-v11-spec-07.txt has explicit
instructions:

> 19.8.4 Possible Merge With Digest Authentication Draft

> Note that the working group draft for Digest Authentication may be
> processed by the IESG at the same time as this document; we leave it to
> the RFC editor to decide whether to issue a single RFC containing both
> drafts (see section 11.2 for where it would be put); in any case, the
> reference in the reference list will need to be either deleted, or made
> to the appropriate RFC (and section 11.2 deleted).

and then in section 11.2:

> 11.2 Digest Authentication Scheme

> Note for the RFC editor: This section is reserved for including the
> Digest Authentication specification, or if the RFC editor chooses to
> issue a single RFC rather than two RFC's, this section should be
> deleted.

We were asked for confirmation that it was our intent to merge the two
drafts. I don't think we have any other choices than either:

a) delete section 11.2, and ignore 19.8.4
b) edit digest-aa in such a way that it is suitable for inserting into
   v11-spec as a revised section 11.2.

However, on looking over digest-aa, it seems to me that just inserting
it as chapter 11.2 is unworkable; the results would be an unreadable
mess. First, digest-aa repeats many of the definitions of v11-spec,
and has an extensive security considerations section.

I think what we should do is craft a replacement paragraph for section
11.2. I suggest:

"The HTTP/1.1 protocol includes a Digest Authentication
Scheme, which is described in RFC xxxx."

Larry

Received on Monday, 26 August 1996 12:27:48 UTC