W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

#481, was: WGLC: p7 MUSTs

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 09 Jun 2013 18:57:47 +0200
Message-ID: <51B4B40B.1080800@gmx.de>
To: Alex Rousskov <rousskov@measurement-factory.com>
CC: IETF HTTP WG <ietf-http-wg@w3.org>
On 2013-05-01 07:09, Alex Rousskov wrote:
> Hello,
>      These comments are based on the "latest" snapshot dated Mon 29 Apr
> 2013 03:13:05 PM MDT at
> https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p7-auth.html
> I hope these issues are "editorial in nature".
>> For historical reasons, senders MUST only use the quoted-string syntax.
> Perhaps this can be relaxed to "MUST only generate", especially since
> another MUST prohibits proxies from modifying WWW-Authenticate and
> Authorization header fields.


> And here is a list of requirements that are missing an explicit actor on
> which the requirement is placed. Even though it is often possible to
> guess the actor, most of these should be easy to rephrase to place the
> requirement on the intended actor explicitly (e.g., "A proxy MUST"
> instead of "a header field MUST":
>> each parameter name MUST only occur once per challenge

That's a requirement on the validity of a challenge. As such it does not 
depend on the actor.

>> This response MUST include a WWW-Authenticate header
>> The 407 (Proxy Authentication Required) response message [...] MUST
>> include a Proxy-Authenticate header field
>> information necessary to authenticate a request MUST be provided in
>> the request
>> It MUST be included as part of a 407 (Proxy Authentication Required)
>> response.
>> It MUST be included in 401 (Unauthorized) response messages

Similar things can be said about these.

What you seem to ask for is information about what a proxy should do 
when it receives a message that already violates a MUST level 
requirement. That's somewhat orthogonal to the discussion about that 
constitutes a valid message.

I can see why guidelines would be good, but watering down the validity 
requirements doesn't seem to be the right approach.

> ...

Best regards, Julian
Received on Sunday, 9 June 2013 16:58:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:11 UTC