- From: Nick Kew <nick@webthing.com>
- Date: Mon, 22 Jan 2007 14:33:54 +0000
- To: olivier Thereaux <ot@w3.org>
- Cc: QA Dev <public-qa-dev@w3.org>, w3t-sys Team <w3t-sys@w3.org>
On Mon, 22 Jan 2007 13:20:52 +0900 olivier Thereaux <ot@w3.org> wrote: > > It took me almost half a day thinking there was a bug in the > validator, but as I finally found out, there's no bug: by *design* > of Digest Auth, the markup validator can not proxy digest > authentication like it does for basic authentication. 'ang on! What's the usage scenario for proxying digest auth? > We then have the choice betweem > > 1) CLIENT <- basic auth -> VALIDATOR <- digest auth -> SERVER > (which, arguably, is wrong wrong wrong - we'd be putting the SERVER > at risk without their consent. Plus, I'm not even sure it's entirely > feasible.) Oh, you mean sending an authentication challenge to $user for a page that's protected by digest auth. That requires us to have a valid username/password. The only way to collect that securely would be over https. > 2) "sorry, we can not validator resources protected by digest > authentication. Use the upload feature of the validator, or install > a local instance of the validator in your network, and give access > to your resources to that server". Seems preferable. Digest authentication is, broadly speaking, for users who care about their access control. OTOH, that's not proxying you're talking about, and you *can* proxy digest auth. Not that I'd recommend turning v.w.o into something the nastybots would identify as an open proxy:-) -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
Received on Monday, 22 January 2007 14:34:05 UTC