- From: Alex Rousskov <rousskov@measurement-factory.com>
- Date: Tue, 30 Apr 2013 23:09:17 -0600
- To: IETF HTTP WG <ietf-http-wg@w3.org>
Hello,
These comments are based on the "latest" snapshot dated Mon 29 Apr
2013 03:13:05 PM MDT at
https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p7-auth.html
I hope these issues are "editorial in nature".
> For historical reasons, senders MUST only use the quoted-string syntax.
Perhaps this can be relaxed to "MUST only generate", especially since
another MUST prohibits proxies from modifying WWW-Authenticate and
Authorization header fields.
And here is a list of requirements that are missing an explicit actor on
which the requirement is placed. Even though it is often possible to
guess the actor, most of these should be easy to rephrase to place the
requirement on the intended actor explicitly (e.g., "A proxy MUST"
instead of "a header field MUST":
> each parameter name MUST only occur once per challenge
> This response MUST include a WWW-Authenticate header
> The 407 (Proxy Authentication Required) response message [...] MUST
> include a Proxy-Authenticate header field
> information necessary to authenticate a request MUST be provided in
> the request
> It MUST be included as part of a 407 (Proxy Authentication Required)
> response.
> It MUST be included in 401 (Unauthorized) response messages
Please be careful with "send" and "generate" when fixing the above
actorless rules so that the proxies do not accidentally become
responsible for policing traffic where unnecessary.
Thank you,
Alex.
Received on Wednesday, 1 May 2013 05:09:48 UTC