Re: ISSUE: Protection space
Dave Kristol (dmk@bell-labs.com)
Fri, 07 Aug 1998 10:04:38 -0400
Paul Leach wrote:
>
> In section 3.2.1, The WWW-Authenticate Response Header
>
> OLD:
>
> domain
>
> A space-separated list of URIs, as specified in RFC XURI [7]. The intent is
> that the client could use this information to know the set of URIs for which
> the same authentication information should be sent. The URIs in this list
> may exist on different servers. If this keyword is omitted or empty, the
> client should assume that the domain consists of all URIs on the responding
> server.
>
> NEW:
>
> domain
>
> A space-separated list of URIs, as specified in RFC XURI [7] that define the
> protection space. If a URI is relative, it is relative to canonical root
> URL (see section 5.1.2 of [2]) of the server being accessed. The URIs in
> this list may refer to different servers. The client can use this list to
> determine the set of URIs for which the same authentication information may
> be sent: any URI that has a URI in this list as a prefix (after both have
> been made absolute) may be assumed to be in the same protection space. If
> this keyword is omitted or empty, the client should assume that the
> protection space consists of all URIs on the responding server.
>
> RATIONALE:
> The terminology of "protection space" was not used for Digest. The means for
> determining when Digest clients could use the same credentials was
> under-specified.
I agree the "protection space" for Digest needed to be specified. I
have a problem with the proposed words above:
I assume "5.1.2 of [2]" refers to the HTTP/1.1 spec. The words
"canonical root URL" do not appear there, and I am therefore unsure what
was meant. Since all URLs on a server are implicitly descended from "/"
(no?), wouldn't it be easier just to say that relative URLs are taken to
be relative to "/"?
Dave Kristol