Authentication in HTTP 1.1

Hi, I would like to propose that 
	WWW-Authenticate and Proxy-Authenticate be replace by a single
	general authenticate construct.

Both WWW and Proxy authenticate have implicitly defined authentication points,
for WWW it is the origin server and for Proxy it is the first proxy that the
client sends the request through. As noted Section 1.4 there will in general
be multiple intermediaries.

	general authenticate has same syntax as WWW with the addition of an
	authentication point loc field. This would specify the origin server
	for WWW style auths etc. The semantics are that general auth header
	lines are passed through except where the authentication point refers
	to this server/intermediary. Note there will be as many general
	auth headers as there are authentication points in a path.

WWW and Proxy auth are now just special cases of general auth and 1.1 servers
should be able to handle them, general auth would be prefered.

Client Issues.

Clients are now required to present all general auth requests to the user.

Optimizations.

Where the auth protocol needs one-time challenge response behaviour, you may
end up in a shuttle mode where the request is shuttled back and forward 
slowly passing down to authentication points nearer and nearer the server.

An optimization is to allow authentication points to piggyback general auth
requests onto normal replies. So after the initial shuttling, subsequent
requests just flow back and forth.

Pete.
-- 
The TIS Network Security Products Group has moved!
voice: 301-527-9500 x123 fax: 301-527-0482
2277 Research Boulevard, 5th Floor, Rockville, MD 20850

Received on Wednesday, 24 January 1996 10:09:02 UTC