Re: #288: Considering messages in isolation from Adrien de Croy on 2011-06-30 (ietf-http-wg@w3.org from April to June 2011)

From: Adrien de Croy <adrien@qbik.com>
Date: Thu, 30 Jun 2011 12:52:51 +1200
To: Julian Reschke <julian.reschke@gmx.de>
CC: Mark Nottingham <mnot@mnot.net>, httpbis Group <ietf-http-wg@w3.org>
Message-ID: <4E0BC8E3.3080808@qbik.com>

How does auth fit in with this, esp any challenge-response based 
authentication or connection-oriented auth.

NTLM clearly requires an assumption that authentication state across 
multiple requests is associated with the connection the requests are 
received on.

Is Digest also a problem with this?

I realise there's not really anything an O-S can do, since a connection 
might have come from a proxy that aggregates clients into the same 
connection.

Does the "Proxy-Support: session-based-authentication" header mess with 
this, IOW do we have a collision here with RFC4559

Regards
Adrien


On 30/06/2011 12:01 a.m., Julian Reschke wrote:
> On 2011-06-28 07:15, Mark Nottingham wrote:
>> Milestone set for -15.
>> ...
>
> Applied with <http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1317>.
>
> I added it to the new section, which now reads:
>
> 2.2.  Message Orientation and Buffering
>
>    Fundamentally, HTTP is a message-based protocol.  Although message
>    bodies can be chunked (Section 6.2.1) and implementations often make
>    parts of a message available progressively, this is not required, and
>    some widely-used implementations only make a message available when
>    it is complete.  Furthermore, while most proxies will progressively
>    stream messages, some amount of buffering will take place, and some
>    proxies might buffer messages to perform transformations, check
>    content or provide other services.
>
>    Therefore, extensions to and uses of HTTP cannot rely on the
>    availability of a partial message, or assume that messages will not
>    be buffered.  There are strategies that can be used to test for
>    buffering in a given connection, but it should be understood that
>    behaviors can differ across connections, and between requests and
>    responses.
>
>    Recipients MUST consider every message in a connection in isolation;
>    because HTTP is a stateless protocol, it cannot be assumed that two
>    requests on the same connection are from the same client or share any
>    other common attributes.
>
>
> Best regards, Julian
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 beta out now - http://www.wingate.com/getlatest/

Received on Thursday, 30 June 2011 00:53:24 UTC