Re: p7: forwarding Proxy-*

"Roy T. Fielding" <fielding@gbiv.com> Tue, 30 April 2013 02:00 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A62921F9BD8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 19:00:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.449
X-Spam-Level:
X-Spam-Status: No, score=-9.449 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, MANGLED_SHOP=2.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hFptyCuZF5az for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 19:00:50 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id DB87121F9BD7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 29 Apr 2013 19:00:49 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UWzrc-0002Zc-G0 for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 02:00:16 +0000
Resent-Date: Tue, 30 Apr 2013 02:00:16 +0000
Resent-Message-Id: <E1UWzrc-0002Zc-G0@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <fielding@gbiv.com>) id 1UWzrT-0002Yp-C3 for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 02:00:07 +0000
Received: from caiajhbdccac.dreamhost.com ([208.97.132.202] helo=homiemail-a87.g.dreamhost.com) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <fielding@gbiv.com>) id 1UWzrR-0000yS-1B for ietf-http-wg@w3.org; Tue, 30 Apr 2013 02:00:07 +0000
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 2151E26C073; Mon, 29 Apr 2013 18:59:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=jZU4e6q1sTSufM+viielRtqNrm8=; b=P3UfikYaYEROOUVEJCYASGw+ey3W /EPPAybZrdk6n0ldpXhEdiRT8Sodpxc2TVDHMMrth9Y+OUt3ekJxVx9lvDX9saNa dnBlJL/orcp5jsyq3jxQqEw5CTWLB7P1Au28dgNE+ZNT/IHsLBj1Nq1Xsx2Bw37a 5t5VH7OfD6+dzWU=
Received: from [192.168.1.84] (99-21-208-82.lightspeed.irvnca.sbcglobal.net [99.21.208.82]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPSA id F2D9926C069; Mon, 29 Apr 2013 18:59:42 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset=us-ascii
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <76583F5C-A175-42EA-B0A0-CB5663A5E3AC@mnot.net>
Date: Mon, 29 Apr 2013 18:59:42 -0700
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9E71BAB0-0D88-4B6E-B1A1-AA228349E3CA@gbiv.com>
References: <76583F5C-A175-42EA-B0A0-CB5663A5E3AC@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.1283)
Received-SPF: none client-ip=208.97.132.202; envelope-from=fielding@gbiv.com; helo=homiemail-a87.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-4.5
X-W3C-Hub-Spam-Report: AWL=-2.485, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: lisa.w3.org 1UWzrR-0000yS-1B 3d7a2fc13d980e8a6c0072ad45241c5e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: p7: forwarding Proxy-*
Archived-At: <http://www.w3.org/mid/9E71BAB0-0D88-4B6E-B1A1-AA228349E3CA@gbiv.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17696
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

That would be incorrect (and is not editorial).  The Proxy-Auth
fields are forwarded until consumed, not hop-by-hop.

....Roy

On Apr 29, 2013, at 6:38 PM, Mark Nottingham wrote:

> (editorial) 
> 
> p7 4.2 says:
> 
>> Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection, and intermediaries should not forward it to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate header field.
> 
> and 4.3 says:
> 
>> Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication using the Proxy-Authenticate field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed by the first outbound proxy that was expecting to receive credentials. A proxy may relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively authenticate a given request.
> 
> 
> However, neither says that the header needs to be listed in the Connection header; i.e. that it's hop-by-hop, as per RFC2616 13.5.1. If you recall, we removed the explicit list of hop-by-hop headers, opting to say that they needed to be listed in Connection, because doing so was causing confusion. However, we haven't actually specified that for these two headers.
> 
> Recommend language like this:
> 
> """
> Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection, and thus MUST be listed in the Connection header field [ref], so that it is consumed on the next hop. Note that an intermediate proxy might need to obtain its own credentials by requesting them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate header field.
> """
> 
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
>