Re: domain attribute in digest auth

> The second change you propose is incompatible with RFC 2069, for which
> implementations exist. Furthermore, it reduces efficiency. For Basic, it had

I guess we disagree on the efficency issue (I know for the apache module
I've been working on this'll mean usually sending extra bytes over the
wire at the same number of RTs). But yeah, I forgot about rfc-2069, so
I'll shut up.

[snip]
> The first change is backwards compatible, so could probably be made at this
> point if there were  concensus. I actually think that one could say that
> it's safe to consider all proxies in the same protection space, regardless
> of what "domain" says. One shouldn't configure one's browser to point at
> proxies to which one wouldn't be willing to send a Digest response. AS a
> result, one could almost consider this an implementation issue: clients that
> want to pre-authentication to all proxies should just do so.

The problem with considering all proxies in the same protection space is
that the browser can then only usefully store a single set of credentials
(if you get a 407 from a different proxy do the new credentials from the
user replace the current credentials? Or should the new credentials only
apply to the new proxy? Or the old credentials only to the old proxy?).
And if you only distinguish by realm then you're making the realm a global
namespace - the realm will have to be unique on all proxies which might
take different auth info (which is doable inside a corporation, I suppose,
but not on a larger scale). So it's not a question of trust, but a
question being able to (usefully) store multiple credentials for multiple
proxies.


  Cheers,

  Ronald

Received on Thursday, 1 October 1998 00:48:14 UTC