- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 31 Oct 2005 19:14:47 +0100
- To: Jim Whitehead <ejw@soe.ucsc.edu>
- CC: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>, webdav <w3c-dist-auth@w3.org>
Jim Whitehead wrote: > There are two issues with Expect 100-continue: > > * It is only permitted for methods with request bodies -- it would be > far better for a client to have a single mechanism that worked for all > methods. Well, it only has an *effect* for messages with request bodies. > * The server's behavior after sending a final status code (i.e., a 4xx) > is not great -- either read the entire request body and send to > /dev/null, or drop the TCP connection. It would be far better if the > client never sent the request body in the first place. My understanding was that the client will never send the body it doesn't get the 100 Continue. > * From reading the HTTP specification, it's really unclear to me how > Expect 100-continue works with proxy authentication. It almost seems as > if this mechanism allows you to bypass proxy authentication. > > However, I still think the right action here is: > > * Create a new appendix in 2518bis > * In this appendix, document the problem > * Describe the known approaches for addressing the problem (If approach, > 100-continue approach) and their issues > * Create a separate draft focusing just on the Force-Authenticate > approach, and discuss on HTTP-WG list. > > Julian seems to think this is an OK approach. Geoff seems to think this > is OK. Jim Luther agrees with the separate draft part. > > Dang if that doesn't seem like something approaching rough consensus to me. Sounds good. Best regards, Julian
Received on Monday, 31 October 2005 18:15:48 UTC