Re: ISSUE PROXY-AUTHORIZATION: Proposal wording
Koen Holtman (koen@win.tue.nl)
Wed, 9 Jul 1997 20:40:32 +0200 (MET DST)
Henrik Frystyk Nielsen:
>
>The trust may be based on some out-of-band agreement which is of no concern
>to HTTP as such.
Yes.
>The only thing that HTTP cares about is that all HTTP
>messages in and out of the proxy are compliant with the protocol.
No. HTTP/1.1 goes to greath lengths to define the relation between
the messages in and out of a proxy, and it does this so that people can
come together and say `we now trust each other to use a plain HTTP/1.1
proxy without any extensions'.
Throwing out all the MUSTs about the relation between the proxy input
and output would make the spec useless as a device for trust
management in this area.
HTTP/1.1 can only stop caring when nobody uses it to describe trust
relations anymore.
>What about simply saying that
>
> The WWW-Authenticate and Authorization header fields are end-to-end
>headers
> following the rules found in section 14.8 and 14.46. Both the Proxy-
> Authenticate and the Proxy-Authorization header fields are hop-by-hop
> headers (see section 13.5.1).
>
>instead of
>
> Proxies MUST be completely transparent regarding user agent authentication
> by origin servers. That is, they MUST forward the WWW-Authenticate and
> Authorization headers untouched, and follow the rules found in section
>14.8.
> Both the Proxy-Authenticate and the Proxy-Authorization header fields are
> hop-by-hop headers (see section 13.5.1).
No. Throwing out the MUST would make the spec less useful.
Leaving it in does no harm; it does not block protocol extensions
which violate the MUST.
>Henrik
Koen.