W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: Internet Draft: HTTP += SASL

From: Rick van Rein <rick@openfortress.nl>
Date: Tue, 21 Jan 2020 11:15:21 +0100
Message-ID: <5E26CF39.7060403@openfortress.nl>
To: Daniel Stenberg <daniel@haxx.se>
CC: "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>, "Henri Manson (ARPA2)" <henri.manson@arpa2.org>
Hello Daniel,

Thanks for reading/commenting.

> 1. RFC2616 is dead, refer to RFC 723X specs instead

*Oops* -- will fix that.

> 2. I would really like to see protocol examples in the spec that
> better explains the flows. I couldn't understand it without reading
> the blog post -
> that features such examples.

Fair enough, will do that.

> 3. The mandatory 403 when not authenticated seems unorthodox. Regular
> HTTP auth returns 401 (or 407 for proxy) when not authenticated.

Indeed.  I was confused by the required inclusion of a challenge, but
didn't know the client recognised a repeat.  Will fix.

> 4. Section 3 wrongly states that Basic and Digest auth uses usernames
> in URIs. They didn't and don't. They speak of user names but they
> don't (have to) come from the URI.

Agreed, what I said is indeed browser behaviour.


Good criticism, thanks!  I will fix this in the next one up.


-Rick
Received on Tuesday, 21 January 2020 10:15:59 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 21 January 2020 10:15:59 UTC