- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 14 Sep 2010 18:59:02 +0200
- To: Robert Collins <robertc@robertcollins.net>
- CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 07.07.2009 12:47, Robert Collins wrote: > On Tue, 2009-07-07 at 17:42 +1000, Mark Nottingham wrote: >> >> Not to argue a particular position WRT #177, but using NTLM is >> probably a bad example, precisely because it does connection >> authentication -- thereby breaking HTTP's assumption of statelessness. > > Oh it surely is a pain. You don't want to know how ugly making NTLM work > through squid (to NTLM offering servers on the internet) was/is. Pretty > hard to imagine HTTP/SMTP w/NTLM too. > > That said, it exists, and forcing it to add a empty realm would be > pointless IMO - let alone probably fraught and likely to break clients. So maybe we should be pragmatic and say: - the realm is defined for all authentication protocols - SHOULD be provided in the challenge - if not provided, header should be treated as if an empty realm was specified ? Best regards, Julian
Received on Tuesday, 14 September 2010 16:59:39 UTC