RE: domain attribute in digest auth

> -----Original Message-----
> From: Ronald.Tschalaer@psi.ch [mailto:Ronald.Tschalaer@psi.ch]
> Sent: Thursday, October 01, 1998 12:45 AM
> 
> [snip]
> > The first change is backwards compatible, so could probably 
> be made at this
> > point if there were  concensus. I actually think that one 
> could say that
> > it's safe to consider all proxies in the same protection 
> space, regardless
> > of what "domain" says. One shouldn't configure one's 
> browser to point at
> > proxies to which one wouldn't be willing to send a Digest 
> response. AS a
> > result, one could almost consider this an implementation 
> issue: clients that
> > want to pre-authentication to all proxies should just do so.
> 
> The problem with considering all proxies in the same 
> protection space is
> that the browser can then only usefully store a single set of 
> credentials
> (if you get a 407 from a different proxy do the new 
> credentials from the
> user replace the current credentials? Or should the new 
> credentials only
> apply to the new proxy? Or the old credentials only to the 
> old proxy?).
> And if you only distinguish by realm then you're making the 
> realm a global
> namespace - the realm will have to be unique on all proxies 
> which might
> take different auth info (which is doable inside a 
> corporation, I suppose,
> but not on a larger scale). So it's not a question of trust, but a
> question being able to (usefully) store multiple credentials 
> for multiple
> proxies.

I don't know of any scenario where I'd want to point my browser at multiple
proxies that aren't in the same protection domain. I don't know how to even
configure any browser to do that. Even so, if need be, realm name space can
be allocated from the DNS name space and hence be globally unique.

Paul

Received on Thursday, 1 October 1998 23:08:03 UTC