W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 1998

RE: v6: don't use Authorization in examples

From: Yaron Goland <yarong@microsoft.com>
Date: Mon, 26 Jan 1998 15:41:54 -0800
Message-ID: <3FF8121C9B6DD111812100805F31FC0D0113C70F@red-msg-59.dns.microsoft.com>
To: "'ejw@ics.uci.edu'" <ejw@ics.uci.edu>, "'Larry Masinter'" <masinter@parc.xerox.com>
Cc: "'Roy T. Fielding'" <fielding@kiwi.ics.uci.edu>, w3c-dist-auth@w3.org
The spec has been altered as specified.

> -----Original Message-----
> From:	Jim Whitehead [SMTP:ejw@ics.uci.edu]
> Sent:	Monday, January 26, 1998 11:40 AM
> To:	Yaron Goland; 'Larry Masinter'
> Cc:	'Roy T. Fielding'; w3c-dist-auth@w3.org
> Subject:	RE: v6: don't use Authorization in examples
> Well, actually, I think some of the use of Digest authentication in 
> examples should stay in the spec.  Examples have a strong normative 
> influence on implementations, and since we are requiring support of Digest
> authentication, it should be used in some of the examples.  Furthermore,
> by 
> using Digest in some of our examples, it demonstrates that Digest 
> authentication isn't just window dressing in the Security Considerations 
> section.
> However, the point is well taken that other forms of authentication are 
> very likely to develop over the lifetime of the WebDAV protocol, such as 
> those based on biometric information (e.g., lost cost fingerprinting, 
> eventually ~$10/device in volume, at: 
> http://www.whovision.com/info_fr.html), or in an underlying protocol, and 
> hence not all examples should use Digest authentication for their 
> authentication.
> So, my proposal is to remove the Authorization header from the examples in
> the following sections:
> 5.7.1 (Write Lock Token), 7.11.4 (MOVE collection).
> These sections should have a brief note which states,
> "In this example, user agent authentication has previously occurred via a 
> mechanism outside the scope of the HTTP protocol, in an underlying 
> transport layer.
> However, I feel we should keep the Digest Authorization headers in the
> and UNLOCK examples of Sections 7.12.9, 7.12.10, 7.12.11, and 7.13.1 to 
> drive home the point that these methods require authentication to have any
> meaning.
> > > I believe that the details of digest authentication are being
> > > tweaked (yes, even at the last minute) so that it's risky
> > > to include examples unless you're prepared to update them.
> Since WebDAV is using RFC 2069 as its reference for Digest authentication,
> and the Draft Standard version of Digest auth. is not yet complete (or
> even 
> in working group last call), for the time being the Digest examples do not
> need to be synched with these changes.
> - Jim
Received on Monday, 26 January 1998 18:42:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:12 UTC