Re: Proxy auth

Dave Kristol (dmk@research.bell-labs.com)
Thu, 18 Nov 1999 08:46:41 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David W. Morris: "Re: Proxy auth"
Previous message: Josh Cohen: "Proxy auth"
Maybe in reply to: Josh Cohen: "Proxy auth"
Next in thread: Roy T. Fielding: "Re: Proxy auth"

"Josh Cohen (Exchange)" <joshco@Exchange.Microsoft.com> wrote:
  >  Since we're talking about proxies....
  > Im curious to know what others think the right thing
  > according to the intent of the 1.1 spec to do is
  > in this situation:
  > 
  > If you have two chained proxy servers:
  > 
  > client -> proxy1 -> proxy2 -> origin server
  > 
  > If proxy 2 challenges for proxy-authentication (in its realm),
  > should the challenge go back to the client if proxy1 doesnt intend
  > to satisfy the challenge ?
  > 
  > My understanding was that the intent was that this situation was
  > to be covered.  By this I mean a client can auth to a proxy up the chain.
  > The spec is somewhat ambiguous, it says the proxy-auth headers are 
  > hop-by-hop, but then mentions that chained proxy-auth can work.

My understanding has always been that proxy authentication is strictly
hop-by-hop.  So proxy1 should not bump the authentication request up to
the client.  After all, it's proxy1 that has a trust relationship with
proxy2, whereas the client may have no such relationship.

Dave Kristol

Next message: David W. Morris: "Re: Proxy auth"
Previous message: Josh Cohen: "Proxy auth"
Maybe in reply to: Josh Cohen: "Proxy auth"
Next in thread: Roy T. Fielding: "Re: Proxy auth"