- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Thu, 31 May 2007 14:54:58 -0700
- To: Eric Lawrence <ericlaw@exchange.microsoft.com>, Cyrus Daboo <cyrus@daboo.name>, Henrik Nordstrom <henrik@henriknordstrom.net>
- CC: <ietf-http-wg@w3.org>
A couple of thoughts: 1. The requirements (use of connection-keep-alive, proxy issues, etc) for secure use of per-connection authentication could be described in 2617bis. AFAIK, these could reflect some actual implementation experience. 2. A "shared key" auth method could be introduced that would do per-message security, and a framework whereby mechanisms for negotiating that key could be used -- Kerb/SPNEGO being the obvious ones. There would be severe chicken/egg deployment issues around this, but maybe over the long run it would get adopted. -----Original Message----- From: Eric Lawrence Sent: Thursday, May 31, 2007 2:28 PM Cyrus-- You're right, but Henrik's point still stands. The existing implementation of Negotiate/NTLM is significantly different than the conventional HTTP authentication "per-message" model. It may be difficult (or undesirable) to roll this into RFC2616.
Received on Thursday, 31 May 2007 21:56:04 UTC