#481, was: WGLC: p7 MUSTs

On 2013-05-01 07:09, Alex Rousskov wrote:
> Hello,
>
>      These comments are based on the "latest" snapshot dated Mon 29 Apr
> 2013 03:13:05 PM MDT at
> https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p7-auth.html
>
> I hope these issues are "editorial in nature".
>
>
>> For historical reasons, senders MUST only use the quoted-string syntax.
>
> Perhaps this can be relaxed to "MUST only generate", especially since
> another MUST prohibits proxies from modifying WWW-Authenticate and
> Authorization header fields.

OK.

> And here is a list of requirements that are missing an explicit actor on
> which the requirement is placed. Even though it is often possible to
> guess the actor, most of these should be easy to rephrase to place the
> requirement on the intended actor explicitly (e.g., "A proxy MUST"
> instead of "a header field MUST":
>
>> each parameter name MUST only occur once per challenge

That's a requirement on the validity of a challenge. As such it does not 
depend on the actor.

>> This response MUST include a WWW-Authenticate header
>
>> The 407 (Proxy Authentication Required) response message [...] MUST
>> include a Proxy-Authenticate header field
>
>> information necessary to authenticate a request MUST be provided in
>> the request
>
>> It MUST be included as part of a 407 (Proxy Authentication Required)
>> response.
>
>> It MUST be included in 401 (Unauthorized) response messages

Similar things can be said about these.

What you seem to ask for is information about what a proxy should do 
when it receives a message that already violates a MUST level 
requirement. That's somewhat orthogonal to the discussion about that 
constitutes a valid message.

I can see why guidelines would be good, but watering down the validity 
requirements doesn't seem to be the right approach.

> ...

Best regards, Julian

Received on Sunday, 9 June 2013 16:58:18 UTC