- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Mon, 02 Mar 2015 14:06:35 +1300
- To: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
On 2/03/2015 10:44 a.m., Julian Reschke wrote: > On 2015-02-11 11:10, Amos Jeffries wrote: >> ... >>>> Section 4 uses the term "proxy authentication" referencing RFC 7235. >>>> >>>> In RFC 7235 there is no definition, and only a vague implied >>>> explanation >>>> of that term via explaining what the 407 status means. >>> >>> That's a problem of RFC 7235. This spec would be the wrong place to >>> address this. >>> >>> I think proposed text for rfc7235bis would be great. >>> >>>> I believe the text in section 4 should be re-written to match the >>>> per-header descriptions found in RFC 7235 sectio 4.3/4.3 paragraph 2. >>> >>> Not sure how that would improve things. >>> >>>> With mention specifically about how it differs from Authentication-Info >>>> by being hop-by-hop. >>> >>> Hmm, why is it hop-by-hop? >> >> >> First Proxy-Auth* are explicitly hop-by-hop. This not being so violates >> the principle of least surprise. >> >> It would leak the proxies network credentials related data to the client. >> >> With result such as; In a proxy chain of A<-B<-C<-D<-E with different >> authentications happening in the hop D->C and the hop C->B. If the >> header was treated as end-to-end D would be participating in the B->C >> authentication. >> ... > > Now tracked as <https://github.com/httpwg/http-extensions/issues/51>. > > Would it be sufficient to steal from > <http://greenbytes.de/tech/webdav/rfc7235.html#rfc.section.4.3.p.2>: > > "Unlike WWW-Authenticate, the Proxy-Authenticate header field applies > only to the next outbound client on the response chain. This is because > only the client that chose a given proxy is likely to have the > credentials necessary for authentication. However, when multiple proxies > are used within the same administrative domain, such as office and > regional caching proxies within a large corporate network, it is common > for credentials to be generated by the user agent and passed through the > hierarchy until consumed. Hence, in such a configuration, it will appear > as if Proxy-Authenticate is being forwarded because each proxy will send > the same challenge set." > > rewriting it to: > > "However, unlike Authentication-Info, the Proxy-Authentication-Info > header field applies only to the next outbound client on the response > chain. This is because only the client that chose a given proxy is > likely to have the credentials necessary for authentication. However, > when multiple proxies are used within the same administrative domain, > such as office and regional caching proxies within a large corporate > network, it is common for credentials to be generated by the user agent > and passed through the hierarchy until consumed. Hence, in such a > configuration, it will appear as if Proxy-Authentication-Info is being > forwarded because each proxy will send the same challenge set." > > ? Exactly what I was suggesting at the start of the thread, sorry if I wasn't clear. Yes that works for me (still). Amos
Received on Monday, 2 March 2015 01:07:12 UTC