- From: Life is hard... and then you die. <Ronald.Tschalaer@psi.ch>
- Date: Thu, 1 Oct 1998 09:44:49 +0200
- To: paulle@microsoft.com, HTTP-WG@hplb.hpl.hp.com
> The second change you propose is incompatible with RFC 2069, for which > implementations exist. Furthermore, it reduces efficiency. For Basic, it had I guess we disagree on the efficency issue (I know for the apache module I've been working on this'll mean usually sending extra bytes over the wire at the same number of RTs). But yeah, I forgot about rfc-2069, so I'll shut up. [snip] > The first change is backwards compatible, so could probably be made at this > point if there were concensus. I actually think that one could say that > it's safe to consider all proxies in the same protection space, regardless > of what "domain" says. One shouldn't configure one's browser to point at > proxies to which one wouldn't be willing to send a Digest response. AS a > result, one could almost consider this an implementation issue: clients that > want to pre-authentication to all proxies should just do so. The problem with considering all proxies in the same protection space is that the browser can then only usefully store a single set of credentials (if you get a 407 from a different proxy do the new credentials from the user replace the current credentials? Or should the new credentials only apply to the new proxy? Or the old credentials only to the old proxy?). And if you only distinguish by realm then you're making the realm a global namespace - the realm will have to be unique on all proxies which might take different auth info (which is doable inside a corporation, I suppose, but not on a larger scale). So it's not a question of trust, but a question being able to (usefully) store multiple credentials for multiple proxies. Cheers, Ronald
Received on Thursday, 1 October 1998 00:48:14 UTC