Re: [#177] Realm required on challenges from Adrien de Croy on 2009-07-07 (ietf-http-wg@w3.org from July to September 2009)

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 07 Jul 2009 20:28:56 +1200
To: Mark Nottingham <mnot@mnot.net>
CC: Robert Collins <robertc@robertcollins.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4A530748.6080700@qbik.com>

I've never seen an NTLM challenge (or Negotiate) with a realm 
parameter.  Realm isn't referred to in RFC 4559 either.

I question the validity of requiring that realm be a parameter of every 
(even new) scheme that has a challenge.

I've never seen a browser use the realm for anything other than a label 
in a dialog box either.

Regards

Adrien


Mark Nottingham wrote:
> Not to argue a particular position WRT #177, but using NTLM is 
> probably a bad example, precisely because it does connection 
> authentication -- thereby breaking HTTP's assumption of statelessness.
>
> Cheers,
>
>
> On 07/07/2009, at 5:35 PM, Robert Collins wrote:
>
>> On Tue, 2009-07-07 at 17:15 +1000, Mark Nottingham wrote:
>>> [ this was raised anonymously ]
>>>
>>> p7 defers to RFC2617 for the definition of challenge.
>>>
>>> RFC 2617, section 1.2 says:
>>>
>>> challenge = auth-scheme 1*SP 1#auth-param ... The authentication
>>> parameter realm is defined for all authentication schemes:
>>>
>>> realm = "realm" "=" realm-value realm-value = quoted-string
>>>
>>> The realm directive (case-insensitive) is required for all
>>> authentication schemes that issue a challenge.
>>
>> With you so far.
>>
>>> The interpretation being that challenges (which is what www-
>>> authenticate is defined as) MUST contain at least one parameter and
>>> that parameter MUST be a realm.
>>
>> Got that too.
>>
>>> Is it truly necessary for all authentication schemes to include a
>>> 'realm' paramter? If so, it should be documented (e.g., in the section
>>> about extension authentication schemes).
>>
>> I'd have to check, but I'm fairly sure that NTLM doesn't provide a realm
>> in its challenges. I'm also fairly certain, because that scheme does
>> connection authentication, not message authentication, that the intended
>> use - partitioning a single site - doesn't even make sense for that
>> scheme (nor the Negotiate scheme).
>>
>> -Rob
>
>
> -- 
> Mark Nottingham     http://www.mnot.net/
>
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

Received on Tuesday, 7 July 2009 08:26:10 UTC