* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #78: 78.diff

File 78.diff, 3.0 KB (added by julian.reschke@gmx.de, 5 years ago)
  • p7-auth.xml

    451451  <list style="symbols"> 
     452    <x:lt> 
    452453    <t> 
    453454      Authentication schemes need to be compatible with the inherent 
    454455      constraints of HTTP; for instance, that messages need to keep their 
    456457      can not bind information to the TCP session over which the message 
    457458      was received (see &msg-orient-and-buffering;).  
    458459    </t> 
     460    </x:lt> 
     461    <x:lt> 
    459462    <t> 
    460463      The authentication parameter "realm" is reserved for defining Protection 
    461464      Spaces as defined in <xref target="protection.space"/>. New schemes 
    462465      &MUST-NOT; use it in a way incompatible with that definition. 
    463466    </t> 
     467    </x:lt> 
     468    <x:lt> 
    464469    <t> 
    465470      Authentication schemes need to document whether they are usable in 
    466471      origin-server authentication (i.e., using WWW-Authenticate), and/or 
    467472      proxy authentication (i.e., using Proxy-Authenticate). 
    468     </t>     
    469     <!-- note about Authorization header --> 
     473    </t> 
     474    </x:lt> 
     475    <x:lt> 
     476    <t> 
     477      The credentials carried in an Authorization header field are specific to 
     478      the User Agent, and therefore have the same effect on HTTP caches as the 
     479      "private" Cache-Control response directive, within the scope of the 
     480      request they appear in. 
     481    </t> 
     482    <t> 
     483      Therefore, new authentication schemes which choose not to carry 
     484      credentials in the Authorization header (e.g., using a newly defined 
     485      header) will need to explicitly disallow caching, by mandating the use of 
     486      either Cache-Control request directives (e.g., "no-store") or response 
     487      directives (e.g., "private"). 
     488    </t> 
     489    </x:lt> 
    470490  </list> 
    623643   The "WWW-Authenticate" header field consists of at least one 
    624644   challenge that indicates the authentication scheme(s) and parameters 
    625    applicable to the effective request URI (&effective-request-uri;). It &MUST; be included in 401 
    626    (Unauthorized) response messages. 
     645   applicable to the effective request URI (&effective-request-uri;). 
     648   It &MUST; be included in 401 (Unauthorized) response messages and &MAY; be 
     649   included in other response messages to indicate that supplying credentials 
     650   (or different credentials) might affect the response. 
    628652<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="WWW-Authenticate"/> 
    629653  <x:ref>WWW-Authenticate</x:ref> = 1#<x:ref>challenge</x:ref> 
    12551279  Closed issues: 
    12561280  <list style="symbols"> 
    12571281    <t> 
     1282      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/78"/>: 
     1283      "Relationship between 401, Authorization and WWW-Authenticate" 
     1284    </t> 
     1285    <t> 
    12581286      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/177"/>: 
    12591287      "Realm required on challenges" 
    12601288    </t>