Re: Interop issue: how can clients force authentication? from Stefan Eissing on 2002-09-18 (w3c-dist-auth@w3.org from July to September 2002)

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Wed, 18 Sep 2002 10:23:29 +0200
To: "Lisa Dusseault" <lisa@xythos.com>
Cc: "'Clemm, Geoff'" <gclemm@rational.com>, "'Webdav WG'" <w3c-dist-auth@w3c.org>
Message-Id: <E95E4968-CADF-11D6-9F78-00039384827E@greenbytes.de>

Am Mittwoch den, 18. September 2002, um 08:14, schrieb Lisa Dusseault:

>
>
>> Actually, I'd suggest a simple logical contradition, i.e.:
>>
>> If: ("A" Not "A")
>>
> ....
>>
>> etag support isn't required, and locking support isn't required,
>> but support for the If header is required.
>
> I'm not so sure a server will implement the If header if it doesn't
> implement locking.  I'd agree it's required, but it may not be there.
> And there's certainly no requirement now that servers do authentication
> checks when they do If checks.  That's not required by RFC2518 -- e.g.
> if the If test fails because it's logically impossible, then why bother
> authenticating?

First, I bet that 100% of all non-broken, existing servers do
authentication checks before looking at the request resource and
its properities like locks. It's the sensible thing to do, as a
user might not even have read permission on the resource. So
one probably should prevent him/her from finding out about the lock
status of the resource.

Second, there is no requirement at the moment. But then, we are
talking about new requirements for servers. The orginal proposal
wants to introduce a new HTTP header, if I remember correctly.
If checking authentication first is the sensible thing to do
for security reasons, then 2518 bis should say so.

If you compare the two existing proposal, you'd find that
the invalid IF Header will work against all current servers
which:
1) check IF header (that will be all servers with locking)
2) check authentication before everything else

whereas the new Enforce Header will only work against
future servers which implement the feature.

It would therefore be interesting to hear what client implementors
think about the two proposals.

> This seems like trying to fit a round peg in a square hole.

Engineering answer: that is no problem if the diameter is
equal or less than the side of the square.

//Stefan

>>
>> So I suggest we check whether any server which does the If check
>> before it does an authentication check.  It certainly shouldn't,
>> since the success or failure of the If check tells you something
>> about the resource which you probably shouldn't know if you are
>> not authenticated.
>>
>> I would have no objection to adding a statement to 2518bis that
>> states that a server SHOULD do authentication checks before any
>> If checks.
>>
>> Cheers,
>> Geoff
>
>

Received on Wednesday, 18 September 2002 04:24:10 UTC