Changeset 2242 for draft-ietf-httpbis/latest/p7-auth.xml

Timestamp:

07/05/13 14:04:14 (8 years ago)

Author:

julian.reschke@…

Message:

Move sections about new auth schemes registration, other considerations) into IANA section (see #464).

File:

• draft-ietf-httpbis/latest/p7-auth.xml (modified) (3 diffs)

draft-ietf-httpbis/latest/p7-auth.xml

@@ -314 +314 @@
 </section>
 
-<section title="Authentication Scheme Registry" anchor="authentication.scheme.registry">
-<t>
-  The HTTP Authentication Scheme Registry defines the name space for the
-  authentication schemes in challenges and credentials.
-</t>
-<t>
-  Registrations &MUST; include the following fields:
-  <list style="symbols">
-    <t>Authentication Scheme Name</t>
-    <t>Pointer to specification text</t>
-    <t>Notes (optional)</t>
-  </list>
-</t>
-<t>
-  Values to be added to this name space require IETF Review
-  (see <xref target="RFC5226" x:fmt="," x:sec="4.1"/>).
-</t>
-<t>
-  The registry itself is maintained at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
-</t>
-
-<section title="Considerations for New Authentication Schemes" anchor="considerations.for.new.authentication.schemes">
-<t>
-  There are certain aspects of the HTTP Authentication Framework that put
-  constraints on how new authentication schemes can work:
-</t>
-<t>
-  <list style="symbols">
-    <x:lt>
-    <t>
-      HTTP authentication is presumed to be stateless: all of the information
-      necessary to authenticate a request &MUST; be provided in the request,
-      rather than be dependent on the server remembering prior requests.
-      Authentication based on, or bound to, the underlying connection is
-      outside the scope of this specification and inherently flawed unless
-      steps are taken to ensure that the connection cannot be used by any
-      party other than the authenticated user
-      (see &msg-orient-and-buffering;). 
-    </t>
-    </x:lt>
-    <x:lt>
-    <t>
-      The authentication parameter "realm" is reserved for defining Protection
-      Spaces as defined in <xref target="protection.space"/>. New schemes
-      &MUST-NOT; use it in a way incompatible with that definition.
-    </t>
-    </x:lt>
-    <x:lt>
-    <t>
-      The "token68" notation was introduced for compatibility with existing
-      authentication schemes and can only be used once per challenge or credential.
-      New schemes thus ought to use the "auth-param" syntax instead, because
-      otherwise future extensions will be impossible.
-    </t>
-    </x:lt>
-    <x:lt>
-    <t>
-      The parsing of challenges and credentials is defined by this specification,
-      and cannot be modified by new authentication schemes. When the auth-param
-      syntax is used, all parameters ought to support both token and
-      quoted-string syntax, and syntactical constraints ought to be defined on
-      the field value after parsing (i.e., quoted-string processing). This is
-      necessary so that recipients can use a generic parser that applies to
-      all authentication schemes.
-    </t>
-    <t>
-      &Note; The fact that the value syntax for the "realm" parameter
-      is restricted to quoted-string was a bad design choice not to be repeated
-      for new parameters.
-    </t>
-    </x:lt>
-    <x:lt>
-    <t>
-      Definitions of new schemes ought to define the treatment of unknown
-      extension parameters. In general, a "must-ignore" rule is preferable
-      over "must-understand", because otherwise it will be hard to introduce
-      new parameters in the presence of legacy recipients. Furthermore,
-      it's good to describe the policy for defining new parameters (such
-      as "update the specification", or "use this registry"). 
-    </t>
-    </x:lt>
-    <x:lt>
-    <t>
-      Authentication schemes need to document whether they are usable in
-      origin-server authentication (i.e., using <x:ref>WWW-Authenticate</x:ref>),
-      and/or proxy authentication (i.e., using <x:ref>Proxy-Authenticate</x:ref>).
-    </t>
-    </x:lt>
-    <x:lt>
-    <t>
-      The credentials carried in an <x:ref>Authorization</x:ref> header field are specific to
-      the User Agent, and therefore have the same effect on HTTP caches as the
-      "private" Cache-Control response directive (&caching-rsd-private;),
-      within the scope of the request they appear in.
-    </t>
-    <t>
-      Therefore, new authentication schemes that choose not to carry
-      credentials in the <x:ref>Authorization</x:ref> header field (e.g., using a newly defined
-      header field) will need to explicitly disallow caching, by mandating the use of
-      either Cache-Control request directives (e.g., "no-store",
-      &caching-rqd-no-store;) or response directives (e.g., "private").
-    </t>
-    </x:lt>
-  </list>
-</t>
-</section>
-
-</section>
-
 </section>
 
@@ -597 +488 @@
 <section title="IANA Considerations" anchor="IANA.considerations">
 
-<section title="Authentication Scheme Registry" anchor="authentication.scheme.registration">
-<t>
-  The registration procedure for HTTP Authentication Schemes is defined by 
-  <xref target="authentication.scheme.registry"/> of this document.
-</t>
-<t>
-   The HTTP Method Authentication Scheme shall be created at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
-</t>
+<section title="Authentication Scheme Registry" anchor="authentication.scheme.registry">
+<t>
+   The HTTP Authentication Scheme Registry defines the name space for the
+   authentication schemes in challenges and credentials. It is maintained at
+   <eref target="http://www.iana.org/assignments/http-authschemes"/>.
+</t>
+
+<section title="Procedure" anchor="authentication.scheme.registry.procedure">
+<t>
+  Registrations &MUST; include the following fields:
+  <list style="symbols">
+    <t>Authentication Scheme Name</t>
+    <t>Pointer to specification text</t>
+    <t>Notes (optional)</t>
+  </list>
+</t>
+<t>
+  Values to be added to this name space require IETF Review
+  (see <xref target="RFC5226" x:fmt="," x:sec="4.1"/>).
+</t>
+</section>
+
+<section title="Considerations for New Authentication Schemes" anchor="considerations.for.new.authentication.schemes">
+<t>
+  There are certain aspects of the HTTP Authentication Framework that put
+  constraints on how new authentication schemes can work:
+</t>
+<t>
+  <list style="symbols">
+    <x:lt>
+    <t>
+      HTTP authentication is presumed to be stateless: all of the information
+      necessary to authenticate a request &MUST; be provided in the request,
+      rather than be dependent on the server remembering prior requests.
+      Authentication based on, or bound to, the underlying connection is
+      outside the scope of this specification and inherently flawed unless
+      steps are taken to ensure that the connection cannot be used by any
+      party other than the authenticated user
+      (see &msg-orient-and-buffering;). 
+    </t>
+    </x:lt>
+    <x:lt>
+    <t>
+      The authentication parameter "realm" is reserved for defining Protection
+      Spaces as defined in <xref target="protection.space"/>. New schemes
+      &MUST-NOT; use it in a way incompatible with that definition.
+    </t>
+    </x:lt>
+    <x:lt>
+    <t>
+      The "token68" notation was introduced for compatibility with existing
+      authentication schemes and can only be used once per challenge or credential.
+      New schemes thus ought to use the "auth-param" syntax instead, because
+      otherwise future extensions will be impossible.
+    </t>
+    </x:lt>
+    <x:lt>
+    <t>
+      The parsing of challenges and credentials is defined by this specification,
+      and cannot be modified by new authentication schemes. When the auth-param
+      syntax is used, all parameters ought to support both token and
+      quoted-string syntax, and syntactical constraints ought to be defined on
+      the field value after parsing (i.e., quoted-string processing). This is
+      necessary so that recipients can use a generic parser that applies to
+      all authentication schemes.
+    </t>
+    <t>
+      &Note; The fact that the value syntax for the "realm" parameter
+      is restricted to quoted-string was a bad design choice not to be repeated
+      for new parameters.
+    </t>
+    </x:lt>
+    <x:lt>
+    <t>
+      Definitions of new schemes ought to define the treatment of unknown
+      extension parameters. In general, a "must-ignore" rule is preferable
+      over "must-understand", because otherwise it will be hard to introduce
+      new parameters in the presence of legacy recipients. Furthermore,
+      it's good to describe the policy for defining new parameters (such
+      as "update the specification", or "use this registry"). 
+    </t>
+    </x:lt>
+    <x:lt>
+    <t>
+      Authentication schemes need to document whether they are usable in
+      origin-server authentication (i.e., using <x:ref>WWW-Authenticate</x:ref>),
+      and/or proxy authentication (i.e., using <x:ref>Proxy-Authenticate</x:ref>).
+    </t>
+    </x:lt>
+    <x:lt>
+    <t>
+      The credentials carried in an <x:ref>Authorization</x:ref> header field are specific to
+      the User Agent, and therefore have the same effect on HTTP caches as the
+      "private" Cache-Control response directive (&caching-rsd-private;),
+      within the scope of the request they appear in.
+    </t>
+    <t>
+      Therefore, new authentication schemes that choose not to carry
+      credentials in the <x:ref>Authorization</x:ref> header field (e.g., using a newly defined
+      header field) will need to explicitly disallow caching, by mandating the use of
+      either Cache-Control request directives (e.g., "no-store",
+      &caching-rqd-no-store;) or response directives (e.g., "private").
+    </t>
+    </x:lt>
+  </list>
+</t>
+</section>
 </section>
 
@@ -1176 +1166 @@
       "Editorial suggestions"
     </t>
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/464"/>:
+      "placement of extension point considerations"
+    </t>
   </list>
 </t>