Re: More comments on draft-ietf-http-authentication-01.txt

> (Life is hard... and then you die.) writes:
> > > 2) How to interpret the URIs in the 'domain' attribute of the Digest
> > > WWW-Authenticate is not clear to me either.  Are the URIs in this
> > > list path prefixes that define protection spaces or must there be
> > > an exact match.  If it is a prefix, what happens if the URI contains a
> > > query part.
> > 
> > An exact match.
> Would not that make this attribute too long to be useful for any real
> use?  If you try to protect one specific server script you have to
> make a domain attribute that lists all possible parameters (query
> part) that this script takes.

Either that, or hope the client does some intelligent guessing. Though
I don't think that the situation is that bad. I'd expect most clients
to note the new protection spaces (i.e. the tuples (host, port, scheme,
realm) ) in any case, so that at worst you get a needless round-trip for
the 401; but at least the user won't be prompted for the username/password
again (which I believe is the main reason for the domain attribute).

> This also brings up another question on how nonce-count and domain
> interact.  If you have a Digest space that spans several servers,
> should the nonce-count be incremented seperately for these servers or
> should they share it?

I've assumed a nonce per protection space (i.e. separate nonces and
nonce-counts above). However, I can't find anything specific in the
spec, so I believe this should be clarified too.



Received on Wednesday, 8 April 1998 17:56:26 UTC