- From: Yaron Goland <yarong@microsoft.com>
- Date: Mon, 26 Jan 1998 15:41:54 -0800
- To: "'ejw@ics.uci.edu'" <ejw@ics.uci.edu>, "'Larry Masinter'" <masinter@parc.xerox.com>
- Cc: "'Roy T. Fielding'" <fielding@kiwi.ics.uci.edu>, w3c-dist-auth@w3.org
The spec has been altered as specified. Yaron > -----Original Message----- > From: Jim Whitehead [SMTP:ejw@ics.uci.edu] > Sent: Monday, January 26, 1998 11:40 AM > To: Yaron Goland; 'Larry Masinter' > Cc: 'Roy T. Fielding'; w3c-dist-auth@w3.org > Subject: RE: v6: don't use Authorization in examples > > Well, actually, I think some of the use of Digest authentication in > examples should stay in the spec. Examples have a strong normative > influence on implementations, and since we are requiring support of Digest > > authentication, it should be used in some of the examples. Furthermore, > by > using Digest in some of our examples, it demonstrates that Digest > authentication isn't just window dressing in the Security Considerations > section. > > However, the point is well taken that other forms of authentication are > very likely to develop over the lifetime of the WebDAV protocol, such as > those based on biometric information (e.g., lost cost fingerprinting, > eventually ~$10/device in volume, at: > http://www.whovision.com/info_fr.html), or in an underlying protocol, and > hence not all examples should use Digest authentication for their > authentication. > > So, my proposal is to remove the Authorization header from the examples in > > the following sections: > > 5.7.1 (Write Lock Token), 7.11.4 (MOVE collection). > > These sections should have a brief note which states, > > "In this example, user agent authentication has previously occurred via a > mechanism outside the scope of the HTTP protocol, in an underlying > transport layer. > > However, I feel we should keep the Digest Authorization headers in the > LOCK > and UNLOCK examples of Sections 7.12.9, 7.12.10, 7.12.11, and 7.13.1 to > drive home the point that these methods require authentication to have any > > meaning. > > > > I believe that the details of digest authentication are being > > > tweaked (yes, even at the last minute) so that it's risky > > > to include examples unless you're prepared to update them. > > Since WebDAV is using RFC 2069 as its reference for Digest authentication, > > and the Draft Standard version of Digest auth. is not yet complete (or > even > in working group last call), for the time being the Digest examples do not > > need to be synched with these changes. > > - Jim
Received on Monday, 26 January 1998 18:42:15 UTC