- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 7 May 2013 14:41:44 +1000
- To: Alex Rousskov <rousskov@measurement-factory.com>
- Cc: IETF HTTP WG <ietf-http-wg@w3.org>
Thanks, Alex; I've made these issues #478-481, all editorial. On 01/05/2013, at 3:09 PM, Alex Rousskov <rousskov@measurement-factory.com> wrote: > Hello, > > These comments are based on the "latest" snapshot dated Mon 29 Apr > 2013 03:13:05 PM MDT at > https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p7-auth.html > > I hope these issues are "editorial in nature". > > >> For historical reasons, senders MUST only use the quoted-string syntax. > > Perhaps this can be relaxed to "MUST only generate", especially since > another MUST prohibits proxies from modifying WWW-Authenticate and > Authorization header fields. > > > And here is a list of requirements that are missing an explicit actor on > which the requirement is placed. Even though it is often possible to > guess the actor, most of these should be easy to rephrase to place the > requirement on the intended actor explicitly (e.g., "A proxy MUST" > instead of "a header field MUST": > >> each parameter name MUST only occur once per challenge > >> This response MUST include a WWW-Authenticate header > >> The 407 (Proxy Authentication Required) response message [...] MUST >> include a Proxy-Authenticate header field > >> information necessary to authenticate a request MUST be provided in >> the request > >> It MUST be included as part of a 407 (Proxy Authentication Required) >> response. > >> It MUST be included in 401 (Unauthorized) response messages > > Please be careful with "send" and "generate" when fixing the above > actorless rules so that the proxies do not accidentally become > responsible for policing traffic where unnecessary. > > > Thank you, > > Alex. > -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 7 May 2013 04:42:24 UTC