- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 7 Jul 2009 17:42:07 +1000
- To: Robert Collins <robertc@robertcollins.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Not to argue a particular position WRT #177, but using NTLM is probably a bad example, precisely because it does connection authentication -- thereby breaking HTTP's assumption of statelessness. Cheers, On 07/07/2009, at 5:35 PM, Robert Collins wrote: > On Tue, 2009-07-07 at 17:15 +1000, Mark Nottingham wrote: >> [ this was raised anonymously ] >> >> p7 defers to RFC2617 for the definition of challenge. >> >> RFC 2617, section 1.2 says: >> >> challenge = auth-scheme 1*SP 1#auth-param ... The authentication >> parameter realm is defined for all authentication schemes: >> >> realm = "realm" "=" realm-value realm-value = quoted-string >> >> The realm directive (case-insensitive) is required for all >> authentication schemes that issue a challenge. > > With you so far. > >> The interpretation being that challenges (which is what www- >> authenticate is defined as) MUST contain at least one parameter and >> that parameter MUST be a realm. > > Got that too. > >> Is it truly necessary for all authentication schemes to include a >> 'realm' paramter? If so, it should be documented (e.g., in the >> section >> about extension authentication schemes). > > I'd have to check, but I'm fairly sure that NTLM doesn't provide a > realm > in its challenges. I'm also fairly certain, because that scheme does > connection authentication, not message authentication, that the > intended > use - partitioning a single site - doesn't even make sense for that > scheme (nor the Negotiate scheme). > > -Rob -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 7 July 2009 07:42:47 UTC