- From: Koen Holtman <koen@win.tue.nl>
- Date: Wed, 9 Jul 1997 20:40:32 +0200 (MET DST)
- To: Henrik Frystyk Nielsen <frystyk@w3.org>
- Cc: dmk@bell-labs.com, koen@win.tue.nl, dwm@xpasc.com, http-wg@cuckoo.hpl.hp.com
Henrik Frystyk Nielsen: > >The trust may be based on some out-of-band agreement which is of no concern >to HTTP as such. Yes. >The only thing that HTTP cares about is that all HTTP >messages in and out of the proxy are compliant with the protocol. No. HTTP/1.1 goes to greath lengths to define the relation between the messages in and out of a proxy, and it does this so that people can come together and say `we now trust each other to use a plain HTTP/1.1 proxy without any extensions'. Throwing out all the MUSTs about the relation between the proxy input and output would make the spec useless as a device for trust management in this area. HTTP/1.1 can only stop caring when nobody uses it to describe trust relations anymore. >What about simply saying that > > The WWW-Authenticate and Authorization header fields are end-to-end >headers > following the rules found in section 14.8 and 14.46. Both the Proxy- > Authenticate and the Proxy-Authorization header fields are hop-by-hop > headers (see section 13.5.1). > >instead of > > Proxies MUST be completely transparent regarding user agent authentication > by origin servers. That is, they MUST forward the WWW-Authenticate and > Authorization headers untouched, and follow the rules found in section >14.8. > Both the Proxy-Authenticate and the Proxy-Authorization header fields are > hop-by-hop headers (see section 13.5.1). No. Throwing out the MUST would make the spec less useful. Leaving it in does no harm; it does not block protocol extensions which violate the MUST. >Henrik Koen.
Received on Wednesday, 9 July 1997 11:43:03 UTC