Re: proxies and forwarding of credentials, was: SECDIR review of draft-ietf-httpbis-p7-auth-24

* Julian Reschke wrote:
>On 2013-10-29 20:35, Stephen Kent wrote:
>> ...
>> In Section 4.3, the text says:
>> A proxy MAY relay
>> the credentials from the client request to the next proxy if that is
>> the mechanism by which the proxies cooperatively authenticate a given
>> request.
>> If, as stated here, a set of proxies cooperatively authenticate a
>> request, then isn’t this a MUST vs. a MAY?
>> ...
>Maybe. I have no experience with proxy authentication, and this piece of 
>text was copied from 
>Perhaps this is a case where we should drop the RFC2119 keywords [...]

Ordinarily a proxy is not supposed to forward the `Proxy-Authorization`
header and an implementation that forwards it by accident fails to meet
the requirements of the specification, so use of RFC 2119 keywords seems
appropriate to me. I also see nothing wrong with the proxy offering an
configuration option to, say, relay the credentials for some users, but
not for others, so this cannot be a MUST. I think the text is fine.
Björn Höhrmann · ·
Am Badedeich 7 · Telefon: +49(0)160/4415681 ·
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · 

Received on Thursday, 31 October 2013 14:30:58 UTC