- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 15 Oct 2005 21:35:22 +0200
- To: w3c-dist-auth@w3.org
- Message-ID: <435159FA.4080308@gmx.de>
Proposed resolution for
<http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=18>:
History:
The "force-authenticate" request header was initially proposed by Ilya
Kirnos, and we had a discussion about this back three years ago
<http://lists.w3.org/Archives/Public/w3c-dist-auth/2002JulSep/thread.html#291>).
As far as I can tell, the consensus back then was not to define a new
header, but to make use of an "If" request header that was known to
alway evaluate to false instead.
In January 2003, the WG had an interim meeting hosted by Apple, during
which the problem was discussed again. Unfortunately, there doesn't seem
to be any public record of what was discussed on the second day (which
AFAIR was the day we discussed this topic). (Minutes for day one in
<http://lists.w3.org/Archives/Public/w3c-dist-auth/2003JanMar/0075.html>).
The "Force-Authentication" header was then introduced in draft 03
(<http://greenbytes.de/tech/webdav/draft-ietf-webdav-rfc2518bis-03.txt>),
but I can't find any record of a consensus reached on the mailing list.
I therefore propose to remove the header from the spec, encouraging
those who feel that this feature is needed to solve a real-world problem
to restart the discussion on the mailing list (containing a precise
problem statement, and an analysis why the current spec isn't sufficient
in this regard).
In addition to removing section 9.4, further changes would be:
Section 17., para. 11:
OLD:
A resource can explicitly advertise its support for the revisions to
RFC2518 made in this document. In particular, this allows clients to
use the Force-Authentication header on requests. Class 1 must be
supported as well. Class 2 MAY be supported.
NEW:
A resource can explicitly advertise its support for the revisions to
RFC2518 made in this document. Class 1 must be supported as well.
Class 2 MAY be supported.
Section 17., para. 13:
OLD:
o the Force-Authentication header.
o Any behavior that it supports, in the manner specified in this
document, rather than in the manner specified in RFC2518, for all
client requests. A server MAY use an older behavior for specific
clients that are discovered to have interoperability problems with
the requirements of this specification, but MUST NOT use an older
behavior indiscriminately.
NEW:
o Any behavior that it supports, in the manner specified in this
document, rather than in the manner specified in RFC2518, for all
client requests. A server MAY use an older behavior for specific
clients that are discovered to have interoperability problems with
the requirements of this specification, but MUST NOT use an older
behavior indiscriminately.
Section 21., para. 8:
OLD:
Valuable contributions to RFC2518 bis came from some already named.
New contributors must also be gratefully acknowledged. Julian
Reschke, Geoff Clemm, Joel Soderberg, and Dan Brotsky hashed out
specific text on the list or in meetings. Ilya Kirnos supplied text
for Force-Authentication header. Joe Hildebrand contributed as co-
chair.
NEW:
Valuable contributions to RFC2518 bis came from some already named.
New contributors must also be gratefully acknowledged. Julian
Reschke, Geoff Clemm, Joel Soderberg, and Dan Brotsky hashed out
specific text on the list or in meetings. Joe Hildebrand contributed
as co-chair.
Best regards, Julian
--- draft-ietf-webdav-rfc2518bis-07.xml 2005-10-15 19:19:46.000000000 +0100
+++ rfc2518bis-08-bug18.xml 2005-10-15 20:29:23.000000000 +0100
@@ -3112,23 +3112,7 @@
to the remote server using PUT/PROPPATCH or another mechanism.
</t>
</section>
-
- <section title="Force-Authentication Header">
- <t>
- Force-Authentication = "Force-Authentication" ":" Method
- </t>
- <t>
- The Force-Authentication request header is used with the OPTIONS method to
- specify that the client wants to be challenged for authentication
- credentials to the resource identified by the Request-URI. If
- present on a request to a WebDAV-compliant resource, the server MUST
- respond with either 401 (Unauthorized) or 501 (Not Implemented)
- status code. The Method value is used for the client to indicate
- what method it intends to use first on the resource identified in
- the Request-URI.
- </t>
- </section>
-
+
<section title="If Header">
<figure>
<artwork>
@@ -4832,15 +4816,13 @@
<section title="Class 'bis'">
<t>
A resource can explicitly advertise its support for the revisions to
- RFC2518 made in this document. In particular, this allows clients to
- use the Force-Authentication header on requests. Class 1 must be
+ RFC2518 made in this document. Class 1 must be
supported as well. Class 2 MAY be supported.
</t>
<t>
A resource that supports bis MUST support:
</t>
<t><list style="symbols">
- <t>the Force-Authentication header. </t>
<t>Any behavior that it supports, in the manner specified in this
document, rather than in the manner specified in RFC2518, for all
client requests. A server MAY use an older behavior for specific
@@ -5200,8 +5182,7 @@
Valuable contributions to RFC2518 bis came from some already named.
New contributors must also be gratefully acknowledged. Julian
Reschke, Geoff Clemm, Joel Soderberg, and Dan Brotsky hashed out
- specific text on the list or in meetings. Ilya Kirnos supplied text
- for Force-Authentication header. Joe Hildebrand contributed as
+ specific text on the list or in meetings. Joe Hildebrand contributed as
co-chair.
</t>
</section>
Received on Saturday, 15 October 2005 19:36:06 UTC