Re: Issue 166: clarify term "User Agent" and resolve inconsistencies with W3C specs from Julian Reschke on 2011-12-27 (ietf-http-wg@w3.org from October to December 2011)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 27 Dec 2011 20:11:01 +0100
To: Mark Nottingham <mnot@mnot.net>
CC: Larry Masinter <masinter@adobe.com>, Karl Dubost <karld@opera.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4EFA1845.8060907@gmx.de>

On 2011-12-24 04:21, Mark Nottingham wrote:
> On 15/12/2011, at 7:58 PM, Larry Masinter wrote:
>
>> ..., it would be helpful if you could identify *specific* parts of the documents where it's important to distinguish between at-the-keyboard-now and at-the-keyboard-sometime.
>>
>> As I said, I think the problem is less with the HTTP documents than it is with other specification writers who are not careful to distinguish client-with-user and autonomous clients.  But...
>>
>>
>> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-17
>>
>>
>>    o  Clients which have been idle for an extended period following
>>       which the server might wish to cause the client to reprompt the
>>       user for credentials.
>>
>>
>> "if they have one"?  The server causes the client to???

Adding more context:

6.1. Authentication Credentials and Idle Clients


    Existing HTTP clients and user agents typically retain authentication

...that's a bug; user agents are clients in our terminology. Remove "and 
user agents"?

    information indefinitely.  HTTP/1.1 does not provide a method for a
    server to direct clients to discard these cached credentials.  This
    is a significant defect that requires further extensions to HTTP.
    Circumstances under which credential caching can interfere with the
    application's security model include but are not limited to:

    o  Clients which have been idle for an extended period following
       which the server might wish to cause the client to reprompt the
       user for credentials.

Is there a problem here except that there maybe no user around (as Larry 
pointed out)?

(note that the above isn't normative text but just examples in the 
Security Considerations; I'm not sure something needs to be fixed here).

>>   If the 401 response contains the same challenge as the
>>    prior response, and the user agent has already attempted
>>    authentication at least once, then the user SHOULD be presented the
>>    representation that was given in the response, since that
>>    representation might include relevant diagnostic information.
>>
>>
>> Getting terminology wrong leads to thinks.
>
> Thanks Larry, I think that's a bug.

...assuming there's a user? How do we rephrase it? "interactive user agent"?

Best regards, Julian

Received on Tuesday, 27 December 2011 19:11:42 UTC