Changeset 2455

Timestamp:

31/10/13 12:59:09 (9 years ago)

Author:

julian.reschke@…

Message:

rephrase parsing considerations for *-Authenticate, also have them only once (#516)

Location:

draft-ietf-httpbis/latest

Files:

• p7-auth.html (modified) (8 diffs)
• p7-auth.xml (modified) (3 diffs)

draft-ietf-httpbis/latest/p7-auth.html

@@ -445 +445 @@
   }
   @bottom-center {
-       content: "Expires May 3, 2014";
+       content: "Expires May 4, 2014";
   }
   @bottom-right {
@@ -485 +485 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2013-10-30">
+      <meta name="dct.issued" scheme="ISO8601" content="2013-10-31">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.">
@@ -513 +513 @@
             <tr>
                <td class="left">Intended status: Standards Track</td>
-               <td class="right">October 30, 2013</td>
+               <td class="right">October 31, 2013</td>
             </tr>
             <tr>
-               <td class="left">Expires: May 3, 2014</td>
+               <td class="left">Expires: May 4, 2014</td>
                <td class="right"></td>
             </tr>
@@ -543 +543 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on May 3, 2014.</p>
+         <p>This Internet-Draft will expire on May 4, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -665 +665 @@
             <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.g.4"></span>  <a href="#challenge.and.response" class="smpl">challenge</a>   = <a href="#challenge.and.response" class="smpl">auth-scheme</a> [ 1*<a href="#imported.abnf" class="smpl">SP</a> ( <a href="#challenge.and.response" class="smpl">token68</a> / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) ]
 </pre><div class="note" id="rfc.section.2.1.p.8">
-               <p><b>Note:</b> User agents will need to take special care in parsing the <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> and <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> header field values because they can contain more than one challenge, or if more than one of each is provided, since the contents
-                  of a challenge can itself contain a comma-separated list of authentication parameters.
-               </p> 
-            </div>
-            <div class="note" id="rfc.section.2.1.p.9">
                <p><b>Note:</b> Many clients fail to parse challenges containing unknown schemes. A workaround for this problem is to list well-supported
                   schemes (such as "basic") first. 
                </p> 
             </div>
-            <p id="rfc.section.2.1.p.10">A user agent that wishes to authenticate itself with an origin server — usually, but not necessarily, after receiving a <a href="#status.401" class="smpl">401 (Unauthorized)</a> — can do so by including an <a href="#header.authorization" class="smpl">Authorization</a> header field with the request.
-            </p>
-            <p id="rfc.section.2.1.p.11">A client that wishes to authenticate itself with a proxy — usually, but not necessarily, after receiving a <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> — can do so by including a <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> header field with the request.
-            </p>
-            <p id="rfc.section.2.1.p.12">Both the <a href="#header.authorization" class="smpl">Authorization</a> field value and the <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> field value contain the client's credentials for the realm of the resource being requested, based upon a challenge received
+            <p id="rfc.section.2.1.p.9">A user agent that wishes to authenticate itself with an origin server — usually, but not necessarily, after receiving a <a href="#status.401" class="smpl">401 (Unauthorized)</a> — can do so by including an <a href="#header.authorization" class="smpl">Authorization</a> header field with the request.
+            </p>
+            <p id="rfc.section.2.1.p.10">A client that wishes to authenticate itself with a proxy — usually, but not necessarily, after receiving a <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> — can do so by including a <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> header field with the request.
+            </p>
+            <p id="rfc.section.2.1.p.11">Both the <a href="#header.authorization" class="smpl">Authorization</a> field value and the <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> field value contain the client's credentials for the realm of the resource being requested, based upon a challenge received
                in a response (possibly at some point in the past). When creating their values, the user agent ought to do so by selecting
                the challenge with what it considers to be the most secure auth-scheme that it understands, obtaining credentials from the
@@ -684 +679 @@
             </p>
             <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.g.5"></span>  <a href="#challenge.and.response" class="smpl">credentials</a> = <a href="#challenge.and.response" class="smpl">auth-scheme</a> [ 1*<a href="#imported.abnf" class="smpl">SP</a> ( <a href="#challenge.and.response" class="smpl">token68</a> / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) ]
-</pre><p id="rfc.section.2.1.p.14">Upon receipt of a request for a protected resource that omits credentials, contains invalid credentials (e.g., a bad password)
+</pre><p id="rfc.section.2.1.p.13">Upon receipt of a request for a protected resource that omits credentials, contains invalid credentials (e.g., a bad password)
                or partial credentials (e.g., when the authentication scheme requires more than one round trip), an origin server <em class="bcp14">SHOULD</em> send a <a href="#status.401" class="smpl">401 (Unauthorized)</a> response that contains a <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> header field with at least one (possibly new) challenge applicable to the requested resource.
             </p>
-            <p id="rfc.section.2.1.p.15">Likewise, upon receipt of a request that requires authentication by proxies that omit credentials or contain invalid or partial
+            <p id="rfc.section.2.1.p.14">Likewise, upon receipt of a request that requires authentication by proxies that omit credentials or contain invalid or partial
                credentials, a proxy <em class="bcp14">SHOULD</em> send a <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response that contains a <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> header field with a (possibly new) challenge applicable to the proxy.
             </p>
-            <p id="rfc.section.2.1.p.16">A server receiving credentials that are valid, but not adequate to gain access, ought to respond with the <a href="p2-semantics.html#status.403" class="smpl">403 (Forbidden)</a> status code (<a href="p2-semantics.html#status.403" title="403 Forbidden">Section 6.5.3</a> of <a href="#Part2" id="rfc.xref.Part2.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>).
-            </p>
-            <p id="rfc.section.2.1.p.17">HTTP does not restrict applications to this simple challenge-response framework for access authentication. Additional mechanisms
+            <p id="rfc.section.2.1.p.15">A server receiving credentials that are valid, but not adequate to gain access, ought to respond with the <a href="p2-semantics.html#status.403" class="smpl">403 (Forbidden)</a> status code (<a href="p2-semantics.html#status.403" title="403 Forbidden">Section 6.5.3</a> of <a href="#Part2" id="rfc.xref.Part2.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>).
+            </p>
+            <p id="rfc.section.2.1.p.16">HTTP does not restrict applications to this simple challenge-response framework for access authentication. Additional mechanisms
                can be used, such as encryption at the transport level or via message encapsulation, and with additional header fields specifying
                authentication information. However, such additional mechanisms are not defined by this specification.
             </p>
-            <p id="rfc.section.2.1.p.18">A proxy <em class="bcp14">MUST</em> forward the <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> and <a href="#header.authorization" class="smpl">Authorization</a> header fields unmodified and follow the rules found in <a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section&nbsp;4.1</a>.
+            <p id="rfc.section.2.1.p.17">A proxy <em class="bcp14">MUST</em> forward the <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> and <a href="#header.authorization" class="smpl">Authorization</a> header fields unmodified and follow the rules found in <a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section&nbsp;4.1</a>.
             </p>
          </div>
@@ -795 +790 @@
             </p>
             <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.9"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
-</pre><p id="rfc.section.4.4.p.4">User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one
-               challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a
-               comma-separated list of authentication parameters.
+</pre><p id="rfc.section.4.4.p.4">User agents are advised to take special care in parsing the field value, as it might contain more than one challenge, and
+               each challenge can contain a comma-separated list of authentication parameters. Furthermore, the header field itself can occur
+               multiple times.
             </p>
             <div id="rfc.figure.u.8"></div>
@@ -1161 +1156 @@
                <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/513">http://tools.ietf.org/wg/httpbis/trac/ticket/513</a>&gt;: "APPSDIR review of draft-ietf-httpbis-p7-auth-24"
                </li>
+               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/516">http://tools.ietf.org/wg/httpbis/trac/ticket/516</a>&gt;: "note about WWW-A parsing potentially misleading"
+               </li>
             </ul>
             <p id="rfc.section.D.1.p.2">Partly resolved issues: </p>

draft-ietf-httpbis/latest/p7-auth.xml

@@ -204 +204 @@
 <x:note>
   <t>
-     &Note; User agents will need to take special care in parsing the
-     <x:ref>WWW-Authenticate</x:ref> and <x:ref>Proxy-Authenticate</x:ref>
-     header field values because they can contain more than one challenge, or
-     if more than one of each is provided, since the contents of a challenge
-     can itself contain a comma-separated list of authentication parameters.
-  </t>
-</x:note>
-<x:note>
-  <t>
      &Note; Many clients fail to parse challenges containing unknown
      schemes. A workaround for this problem is to list well-supported schemes
@@ -457 +448 @@
 </artwork></figure>
 <t>
-   User agents are advised to take special care in parsing the WWW-Authenticate
-   field value as it might contain more than one challenge,
-   or if more than one WWW-Authenticate header field is provided, the
-   contents of a challenge itself can contain a comma-separated list of
-   authentication parameters.
+   User agents are advised to take special care in parsing the field value, as
+   it might contain more than one challenge, and each challenge can contain a
+   comma-separated list of authentication parameters. Furthermore, the header
+   field itself can occur multiple times.
 </t>
 <figure>
@@ -1105 +1095 @@
       "APPSDIR review of draft-ietf-httpbis-p7-auth-24"
     </t>
+    <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/516"/>:
+      "note about WWW-A parsing potentially misleading"
+    </t>
   </list>
 </t>