- From: David W. Morris <dwm@xpasc.com>
- Date: Thu, 18 Nov 1999 11:04:58 -0800 (PST)
- To: Dave Kristol <dmk@research.bell-labs.com>
- Cc: http-wg@hplb.hpl.hp.com, joshco@exchange.microsoft.com, fielding@kiwi.ICS.UCI.EDU, lawrence@agranat.com, http-wg@cuckoo.hpl.hp.com
On Thu, 18 Nov 1999, Dave Kristol wrote: > "Josh Cohen (Exchange)" <joshco@Exchange.Microsoft.com> wrote: > > Since we're talking about proxies.... > > Im curious to know what others think the right thing > > according to the intent of the 1.1 spec to do is > > in this situation: > > > > If you have two chained proxy servers: > > > > client -> proxy1 -> proxy2 -> origin server > > > > If proxy 2 challenges for proxy-authentication (in its realm), > > should the challenge go back to the client if proxy1 doesnt intend > > to satisfy the challenge ? > > > > My understanding was that the intent was that this situation was > > to be covered. By this I mean a client can auth to a proxy up the chain. > > The spec is somewhat ambiguous, it says the proxy-auth headers are > > hop-by-hop, but then mentions that chained proxy-auth can work. > > My understanding has always been that proxy authentication is strictly > hop-by-hop. So proxy1 should not bump the authentication request up to > the client. After all, it's proxy1 that has a trust relationship with > proxy2, whereas the client may have no such relationship. My recollection matchs DaveK's ... it was acknowledged at the time that the proxy auth was hop-hop only and as I recall the WG rejected an attempt to extend the protocol to accurately allow for proxy authentication thru another proxy. I believe there are cases where Josh's scenario would be valuable but it isn't what was defined. Dave Morris
Received on Thursday, 18 November 1999 11:11:07 UTC