- From: David W. Morris <dwm@xpasc.com>
- Date: Thu, 3 Jul 1997 22:39:38 -0700 (PDT)
- To: Dave Kristol <dmk@bell-labs.com>
- Cc: Henrik Frystyk Nielsen <frystyk@w3.org>, http-wg@cuckoo.hpl.hp.com
On Thu, 3 Jul 1997, Dave Kristol wrote: > Henrik Frystyk Nielsen wrote: > > [...] > > The HTTP protocol does not restrict applications to this simple > > challenge-response mechanism for access authentication. Additional > > mechanisms MAY be used, such as encryption at the transport level or via > > message encapsulation, and with additional header fields specifying > > authentication information. However, these additional mechanisms are not > > defined by this specification. > > Proxies MUST be completely transparent regarding user agent authentication > > by origin servers. That is, they MUST forward the WWW-Authenticate and > > Authorization headers untouched, and follow the rules found in section > > 14.8. Both the Proxy-Authenticate and the Proxy-Authorization header fields > > are hop-by-hop headers (see section 13.5.1). > > The "MUST" there would make me unhappy. One of the important functions > of our experimental LPWA service (<http://lpwa.com>) is to deliberately > replace a user-entered escape sequence by a proxy-generated identity, > and one of the places it does so is in the Authorization header. > > I can't think of a good way to say "MUST forward... unless the user > expects otherwise." And I'm on vacation right now, so my brain is > mostly shut down. :-) > Me too ... I have a single user proxy product which is a direct agent for its owner and only user ... I see no reason to restrict the behavior of such a proxy. Dave Morris
Received on Thursday, 3 July 1997 22:42:23 UTC