Opened 9 years ago

Closed 9 years ago

Last modified 21 months ago

#481 closed editorial (incorporated)

MUSTs and other feedback 4

Reported by: mnot@… Owned by: draft-ietf-httpbis-p7-auth@…
Priority: normal Milestone: 24
Component: p7-auth Severity: In WG Last Call
Keywords: Cc:


For historical reasons, senders MUST only use the quoted-string syntax.

Perhaps this can be relaxed to "MUST only generate", especially since another MUST prohibits proxies from modifying WWW-Authenticate and Authorization header fields.

And here is a list of requirements that are missing an explicit actor on which the requirement is placed. Even though it is often possible to guess the actor, most of these should be easy to rephrase to place the requirement on the intended actor explicitly (e.g., "A proxy MUST" instead of "a header field MUST":

each parameter name MUST only occur once per challenge

This response MUST include a WWW-Authenticate header

The 407 (Proxy Authentication Required) response message [...] MUST include a Proxy-Authenticate header field

information necessary to authenticate a request MUST be provided in the request

It MUST be included as part of a 407 (Proxy Authentication Required) response.

It MUST be included in 401 (Unauthorized) response messages

Please be careful with "send" and "generate" when fixing the above actorless rules so that the proxies do not accidentally become responsible for policing traffic where unnecessary.

Change History (4)

comment:1 Changed 9 years ago by julian.reschke@…

From [2289]:

tune a MUST regarding use of quoted-string in realm param (see #481)

comment:2 Changed 9 years ago by julian.reschke@…

  • Resolution set to incorporated
  • Status changed from new to closed

Fixed the first issue; do not agree with the need to fix the other parts. Please review the generic requirements defined in P1; or alternatively suggest concrete text.

comment:3 Changed 9 years ago by julian.reschke@…

  • Milestone changed from unassigned to 24

comment:4 Changed 21 months ago by mnot@…

  • Summary changed from MUSTs and other feedback to MUSTs and other feedback 4
Note: See TracTickets for help on using tickets.