Re: The Hypertext Transfer Protocol (HTTP) Authentication-Info Header Field

On 28/01/2015 9:56 p.m., Julian Reschke wrote:
> Dear WG,
> when we worked on RFC 7235, we extracted the authentication framework
> from RFC 2617, but failed to realize that the section about the DIGEST
> authentication scheme indeed added another pair of generic header
> fields: (Proxy-)Authentication-Info.
> As a matter of fact, Alexey Melnikov noticed this in time, but back then
> we didn't have the time & energy to do the right thing.
> Today, we have the DIGEST revision coming up in the HTTPAuth WG, and
> that still contains the header field definition
> (<>).
> Furthermore, Alexey's SCRAM draft uses it, but does not reference DIGEST
> (<>,
> although with a minor syntax variation).
> Last weekend I sat down and wrote a tiny draft (5 pages incl.
> boilerplate, ToC, references, whatnot) that makes these header field
> definitions standalone:
> <>
> (*)
> ...with the purpose of
> - allowing DIGEST refer to it instead of in-lining the definition,
> - allowing Alexey to use it, and most importantly
> - having a clear path for RFC 7235bis.
> The last point makes it a candidate for this working group; to be useful
> for the work over in HTTPAuth we'd need to be quick, though; optimally
> IETF LC before the Dallas meeting; given the size of the draft this
> should be possible...
> What do others think?

I think its a good idea.

It is also worth noting at this point that those headers are already in
use in the wild (by Squid at least) for Negotiate scheme in a way that
does not match the ABNF. Instead they just echo back from the server the
accepted "Negotiate <token>" credentials received from the client.

I am not sure exactly why Squid does this, I've queried our dev team to
see if anyone knows.


Received on Wednesday, 28 January 2015 10:00:01 UTC