Changeset 1669 for draft-ietf-httpbis

Timestamp:

05/06/12 08:27:19 (9 years ago)

Author:

julian.reschke@…

Message:

Tune the requirements wrt selecting the strongest auth schemes (fixes #349)

Location:

draft-ietf-httpbis/latest

Files:

• p7-auth.html (modified) (6 diffs)
• p7-auth.xml (modified) (2 diffs)

draft-ietf-httpbis/latest/p7-auth.html

@@ -449 +449 @@
   } 
   @bottom-center {
-       content: "Expires December 3, 2012"; 
+       content: "Expires December 7, 2012"; 
   } 
   @bottom-right {
@@ -489 +489 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2012-06-01">
+      <meta name="dct.issued" scheme="ISO8601" content="2012-06-05">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines the HTTP Authentication framework.">
@@ -520 +520 @@
             </tr>
             <tr>
-               <td class="left">Expires: December 3, 2012</td>
+               <td class="left">Expires: December 7, 2012</td>
                <td class="right">greenbytes</td>
             </tr>
             <tr>
                <td class="left"></td>
-               <td class="right">June 1, 2012</td>
+               <td class="right">June 5, 2012</td>
             </tr>
          </tbody>
@@ -553 +553 @@
          in progress”.
       </p>
-      <p>This Internet-Draft will expire on December 3, 2012.</p>
+      <p>This Internet-Draft will expire on December 7, 2012.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
@@ -704 +704 @@
          Required) — can do so by including a Proxy-Authorization header field with the request.
       </p>
-      <p id="rfc.section.2.1.p.12">Both the Authorization field value and the Proxy-Authorization field value consist of credentials containing the authentication
-         information of the client for the realm of the resource being requested. The user agent <em class="bcp14">MUST</em> choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based
-         upon that challenge.
+      <p id="rfc.section.2.1.p.12">Both the Authorization field value and the Proxy-Authorization field value contain the client's credentials for the realm
+         of the resource being requested, based upon a challenge received from the server (possibly at some point in the past). When
+         creating their values, the user agent ought to do so by selecting the challenge with what it considers to be the most secure
+         auth-scheme that it understands, obtaining credentials from the user as appropriate.
       </p>
       <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.c.2"></span><span id="rfc.iref.g.5"></span>  <a href="#challenge.and.response" class="smpl">credentials</a> = <a href="#challenge.and.response" class="smpl">auth-scheme</a> [ 1*<a href="#notation" class="smpl">SP</a> ( <a href="#challenge.and.response" class="smpl">b64token</a> / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) ]
@@ -1127 +1128 @@
       </p>
       <h2 id="rfc.section.C.1"><a href="#rfc.section.C.1">C.1</a>&nbsp;<a id="changes.since.19" href="#changes.since.19">Since draft-ietf-httpbis-p7-auth-19</a></h2>
-      <p id="rfc.section.C.1.p.1">None yet.</p>
+      <p id="rfc.section.C.1.p.1">Closed issues: </p>
+      <ul>
+         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/349">http://tools.ietf.org/wg/httpbis/trac/ticket/349</a>&gt;: "Strength"
+         </li>
+      </ul>
       <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1>
       <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.B">B</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.H">H</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.S">S</a> <a href="#rfc.index.W">W</a> 

draft-ietf-httpbis/latest/p7-auth.xml

@@ -299 +299 @@
    request.
 </t>
-<t>   
+<t>
    Both the Authorization field value and the Proxy-Authorization field value
-   consist of credentials containing the authentication information of the
-   client for the realm of the resource being requested. The user agent &MUST;
-   choose to use one of the challenges with the strongest auth-scheme it
-   understands and request credentials from the user based upon that challenge.
+   contain the client's credentials for the realm of the resource being
+   requested, based upon a challenge received from the server (possibly at
+   some point in the past). When creating their values, the user agent ought to
+   do so by selecting the challenge with what it considers to be the most
+   secure auth-scheme that it understands, obtaining credentials from the user
+   as appropriate.
 </t>
 <figure><artwork type="abnf2616"><iref item="credentials" primary="true"/><iref primary="true" item="Grammar" subitem="credentials"/>
@@ -1123 +1125 @@
 <section title="Since draft-ietf-httpbis-p7-auth-19" anchor="changes.since.19">
 <t>
-  None yet.
+  Closed issues:
+  <list style="symbols">
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/349"/>:
+      "Strength"
+    </t>
+  </list>
 </t>
 </section>