- From: Florent Georges <fgeorges@fgeorges.org>
- Date: Wed, 16 Dec 2009 13:15:02 +0100
- To: XProc Comments <public-xml-processing-model-comments@w3.org>
Hi,
The current draft for p:http-request says:
If the username attribute is specified, the username,
password, auth-method, and send-authorization attributes are
used to handle authentication as per [RFC 2617].
It seems too restrictive to me, as other authentication methods
than RFC 2617 can be used. The text later says:
The interpretation of auth-method values on c:request other
than “Basic” or “Digest” is implementation-defined.
but it is not clear IMHO whether the implementation-defined
behaviour must be kept within the scope of RFC 2617. I guess
something like the following would be more clear:
If the username attribute is specified, the username,
password, auth-method, and send-authorization attributes are
used to handle authentication, depending on the chosen
authentication method.
[...]
If the authentication method is either "basic" or "digest",
authentication is handled as per [RFC 2617].
Furthermore, it is not said that the value of auth-method is
case-insensitive (which I guess is the intention).
Last but not least, shouldn't we reserve the method "token" for
the standardization-in-progress "HTTP Authentication: Token
Access Authentication", the IETF standardization of the popular
(and couting) OAuth method:
http://xml.coverpages.org/draft-hammer-http-token-auth-00.txt
Regards,
--
Florent Georges
http://www.fgeorges.org/
Received on Wednesday, 16 December 2009 12:15:33 UTC