#271: SHOULD review in p7 from Mark Nottingham on 2012-06-22 (ietf-http-wg@w3.org from April to June 2012)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 22 Jun 2012 11:44:16 +1000
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <7BA0010A-BF7F-4F19-A8BC-85E327F41146@mnot.net>

As per <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/271>, I'm reviewing our use of SHOULD in the documents; here I also pick on a few MAYs. Where I find issues, I've flagged with EDITORIAL or DESIGN as seems appropriate (I won't open issues for the design ones until we discuss; the editorial ones are considered attached to #271).

2.1

"Requests for protected resources that omit credentials, contain invalid credentials (e.g., a bad password), or partial credentials (e.g., when the authentication scheme requires more than one round trip) SHOULD return a 401 (Unauthorized) response."

EDITORIAL - make the subject of the requirement more obvious, e.g., "Upon a request for a protected resource that omits credentials, contains invalid credentials (e.g., a bad password), or partial credentials (e.g., when the authentication scheme requires more than one round trip), an origin server SHOULD return a 401 (Unauthorized) response.

"Likewise, requests that require authentication by proxies that omit credentials, or contain invalid or partial credentials should return a 407 (Proxy Authentication Required) response. "

EDITORIAL - same as above.

3.1

"If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the representation that was given in the response, since that representation might include relevant diagnostic information."

OK

4.1

"If a request is authenticated and a realm specified, the same credentials SHOULD be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, such as credentials that vary according to a challenge value or using synchronized clocks)."

Not entirely happy here (the subject of the requirement isn't clear), but don't have much to suggest.

4.2

"Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and SHOULD NOT be passed on to downstream clients."

EDITORIAL - change to "...current connection, and intermediaries SHOULD NOT forward it to downstream clients."


--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 22 June 2012 01:45:02 UTC