- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Thu, 31 May 2007 17:30:35 -0700
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- CC: Eric Lawrence <ericlaw@exchange.microsoft.com>, <ietf-http-wg@w3.org>
-----Original Message----- From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net] Sent: Thursday, May 31, 2007 4:08 PM > That was what my second suggestion from the message, part of which you > quoted above, was about. I guess it wasn't clear enough. Good. So lets keep that in mind when talking about RFC2617bis. If Microsoft is willing to rework their authentication schemes so that a future revision fits the HTTP message model, perhaps by using virtual sessions instead of transport connections to identify the authentication session then the need for extending HTTP to officially supporting transport level authentication disappears. [Paul Leach] I don't have anything to do with implementations of HTTP by Microsoft anymore, so I can't say anything about what we might support in the future. But even if we did what you suggest, it would take a long time before any significant number of sites used it, because all sites have to cater to older browsers, from many vendors. > It would be a better approach, but it would still be pretty helpful to > tell people how to interop with the existing approach. The existing RFC is perfectly fine for that purpose. The question here is if the requirements of RFC4559 "SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows" should be on the table while revising the HTTP specifications or not. I say firmly not. [Paul Leach] What requirements are you referring to?
Received on Friday, 1 June 2007 00:31:10 UTC