- From: Robert Collins <robertc@robertcollins.net>
- Date: Tue, 07 Jul 2009 07:36:43 +0000
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Tuesday, 7 July 2009 08:41:03 UTC
On Tue, 2009-07-07 at 17:15 +1000, Mark Nottingham wrote: > [ this was raised anonymously ] > > p7 defers to RFC2617 for the definition of challenge. > > RFC 2617, section 1.2 says: > > challenge = auth-scheme 1*SP 1#auth-param ... The authentication > parameter realm is defined for all authentication schemes: > > realm = "realm" "=" realm-value realm-value = quoted-string > > The realm directive (case-insensitive) is required for all > authentication schemes that issue a challenge. With you so far. > The interpretation being that challenges (which is what www- > authenticate is defined as) MUST contain at least one parameter and > that parameter MUST be a realm. Got that too. > Is it truly necessary for all authentication schemes to include a > 'realm' paramter? If so, it should be documented (e.g., in the section > about extension authentication schemes). I'd have to check, but I'm fairly sure that NTLM doesn't provide a realm in its challenges. I'm also fairly certain, because that scheme does connection authentication, not message authentication, that the intended use - partitioning a single site - doesn't even make sense for that scheme (nor the Negotiate scheme). -Rob
Received on Tuesday, 7 July 2009 08:41:03 UTC