- From: Mike Belshe <mike@belshe.com>
- Date: Mon, 26 Mar 2012 23:42:32 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CABaLYCu-M98ruPiATPpQgrmSv3LQRt=m-T4Tucoo69bumDAm4g@mail.gmail.com>
On Tue, Mar 20, 2012 at 9:38 PM, Julian Reschke <julian.reschke@gmx.de>wrote: > Hi, > > <http://tools.ietf.org/html/**draft-mbelshe-httpbis-spdy-00#** > section-3.2.3<http://tools.ietf.org/html/draft-mbelshe-httpbis-spdy-00#section-3.2.3>> > mentions: > > There are four options for proxy authentication, Basic, Digest, NTLM > and Negotiate (SPNEGO). The first two options were defined in > RFC2617 [RFC2617], and are stateless. The second two options were > developed by Microsoft and specified in RFC4559 [RFC4559], and are > stateful; otherwise known as multi-round authentication, or > connection authentication. > > But as far as I can tell, RFC 4559 only defines "Negotiate", not "NTLM". > (Asking because of <http://greenbytes.de/tech/**webdav/draft-ietf-httpbis- > **authscheme-registrations-03.**html<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-authscheme-registrations-03.html> > >...) > Maybe you're right. The title of RFC4559 is a little misleading: "SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows" The reason connection-based auth schemes are problematic in spdy is because you can put two requests on the wire concurrently. If each comes back with its own challenge, the negotiation gets confused. Further, when we're trying to put more requests on the same connection, as SPDY does, the connection-tied auth becomes very brittle. Mike > Best regards, Julian > >
Received on Monday, 26 March 2012 21:43:00 UTC