W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Authentication over HTTP

From: Nico Williams <nico@cryptonector.com>
Date: Wed, 17 Jul 2013 21:50:44 -0500
Message-ID: <CAK3OfOi_PhjDGbvWxivEYjEhfjiUSSK3_JUSKJh23HcBgbyhGQ@mail.gmail.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: ietf-http-wg@w3.org
On Wed, Jul 17, 2013 at 7:36 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> On 18/07/2013 6:00 a.m., Nico Williams wrote:
>> On Wed, Jul 17, 2013 at 12:59 AM, Amos Jeffries <squid3@treenet.co.nz>
>> wrote:
>>> 2) "HTTP auth is broken". Aka the headers dont let me login user X to
>>> proxy
>>> A and proxy B at the same time, in the same chain, with different
>>> credentials all controlled by user X ... seem to be making a few wrong
>>> assumptions about how HTTP works there. Go away and do (1) instead the
>>> user-application ha sa lot more control over end-to-end pathways in
>>> application layer.
>>
>> Oh, I'd never seen this argument.  This is an interesting one because
>> authentication to proxies is very interesting.  So this one is
>> definitely a legitimate argument, and one I would make.  Also, this
>> means I have to think about proxy auth for RESTauth (well, it's
>> straightforward, but I have to add it).  This is very helpful, thanks!
>
>
> The answr may surprise you. HTTP *already* provides teh necessary mechanism
> to do auth like that...

No, I knew about CONNECT.  I've written a CONNECT proxy client for
traversing proxies that need HTTP/Negotiate authentication (which I'll
try to get contributed as open source to curl, if they'll take it).
Received on Thursday, 18 July 2013 02:51:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC