Another issue on SASL draft

I just noticed something else I don't understand in the SASL draft.  
Can you clarify?

Example 6, in section 4.7.6, shows the client attempting to 
authenticate but without
using the CONNECT request.  So far so good -- the client doesn't want a 
SASL layer,
the client simply wants to authenticate.  The last GET request in the 
example shows
no WWW-Authenticate header, thus no authorization information -- yet 
the server
responds successfully.  Shouldn't every request include the 
WWW-Authenticate
header, until the point where the client decides to "log out"?

This problem wouldn't exist if the 235 error was removed and if SASL 
worked like
Digest/Basic -- the 2nd GET request would clearly contain the 
authentication, and
the response would be 200 OK.

Lisa

Received on Monday, 3 May 2004 15:24:12 UTC