- From: olivier Thereaux <ot@w3.org>
- Date: Mon, 22 Jan 2007 13:20:52 +0900
- To: QA Dev <public-qa-dev@w3.org>
- Cc: w3t-sys Team <w3t-sys@w3.org>
It took me almost half a day thinking there was a bug in the validator, but as I finally found out, there's no bug: by *design* of Digest Auth, the markup validator can not proxy digest authentication like it does for basic authentication. Explanation: Digest auth works in a challenge-response manner. 1) client requests resource 2) server answers 401, gives challenge string, authentication realm 3) client computes response, based on hash of challenge string, realm, user, password, and most importantly here, *queried URI* http://en.wikipedia.org/wiki/Digest_access_authentication So even if the validator can pass the challenge string and realm to the user's browser, and pass the response string back to the server, the response will NOT be accepted by the server, simply because expected_response = hash(challenge, realm, user, password, "http:// www.example.com/foo/bar/") is obviously different from given_response = hash(challenge, realm, user, password, "http:// validator.w3.org/check?uri=http%3A%2F%www.example.com%2Ffoo%2Fbar%2F") Conclusion: bad news, everyone, I think we can't "proxy" digest auth - unless I'm mistaken, and trust me, I'd love to be wrong here. I can't recall who made the first implementation of the auth proxying for the validator. Gerald? Terje? Would you concur? We then have the choice betweem 1) CLIENT <- basic auth -> VALIDATOR <- digest auth -> SERVER (which, arguably, is wrong wrong wrong - we'd be putting the SERVER at risk without their consent. Plus, I'm not even sure it's entirely feasible.) or 2) "sorry, we can not validator resources protected by digest authentication. Use the upload feature of the validator, or install a local instance of the validator in your network, and give access to your resources to that server". Thoughts? Different diagnosis? Is this a showstopper for switching w3.org servers to digest auth, seeing as it's not only going to break validation, but all sorts of services too (xslt, etc.)? -- olivier
Received on Monday, 22 January 2007 04:21:04 UTC