#481, was: WGLC: p7 MUSTs

Julian Reschke <julian.reschke@gmx.de> Sun, 09 June 2013 16:59 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5230021F8E93 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 9 Jun 2013 09:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id o4YGIA5rxroh for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 9 Jun 2013 09:59:15 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org []) by ietfa.amsl.com (Postfix) with ESMTP id D92A521F8E2C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 9 Jun 2013 09:59:15 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uliwo-000711-Tv for ietf-http-wg-dist@listhub.w3.org; Sun, 09 Jun 2013 16:58:30 +0000
Resent-Date: Sun, 09 Jun 2013 16:58:30 +0000
Resent-Message-Id: <E1Uliwo-000711-Tv@frink.w3.org>
Received: from lisa.w3.org ([]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1Uliwc-000709-6k for ietf-http-wg@listhub.w3.org; Sun, 09 Jun 2013 16:58:18 +0000
Received: from mout.gmx.net ([]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1Uliwb-00063l-94 for ietf-http-wg@w3.org; Sun, 09 Jun 2013 16:58:18 +0000
Received: from mailout-de.gmx.net ([]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0MDBXW-1UZZre47DQ-00GXyp for <ietf-http-wg@w3.org>; Sun, 09 Jun 2013 18:57:50 +0200
Received: (qmail invoked by alias); 09 Jun 2013 16:57:50 -0000
Received: from p5DD94783.dip0.t-ipconnect.de (EHLO []) [] by mail.gmx.net (mp028) with SMTP; 09 Jun 2013 18:57:50 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/XmhAaxb3XCtClj68QYy077wrAdJvkLaC+dQ9RPl sIPUdlwFUToiSI
Message-ID: <51B4B40B.1080800@gmx.de>
Date: Sun, 09 Jun 2013 18:57:47 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Alex Rousskov <rousskov@measurement-factory.com>
CC: IETF HTTP WG <ietf-http-wg@w3.org>
References: <D69329FD-7456-46C5-BE24-6E7EE7E48C39@mnot.net> <5180A37D.6050003@measurement-factory.com>
In-Reply-To: <5180A37D.6050003@measurement-factory.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-2.429, BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1Uliwb-00063l-94 dfc5721c2124035b47309c7d06b541a3
X-Original-To: ietf-http-wg@w3.org
Subject: #481, was: WGLC: p7 MUSTs
Archived-At: <http://www.w3.org/mid/51B4B40B.1080800@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18204
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 2013-05-01 07:09, Alex Rousskov wrote:
> Hello,
>      These comments are based on the "latest" snapshot dated Mon 29 Apr
> 2013 03:13:05 PM MDT at
> https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p7-auth.html
> I hope these issues are "editorial in nature".
>> For historical reasons, senders MUST only use the quoted-string syntax.
> Perhaps this can be relaxed to "MUST only generate", especially since
> another MUST prohibits proxies from modifying WWW-Authenticate and
> Authorization header fields.


> And here is a list of requirements that are missing an explicit actor on
> which the requirement is placed. Even though it is often possible to
> guess the actor, most of these should be easy to rephrase to place the
> requirement on the intended actor explicitly (e.g., "A proxy MUST"
> instead of "a header field MUST":
>> each parameter name MUST only occur once per challenge

That's a requirement on the validity of a challenge. As such it does not 
depend on the actor.

>> This response MUST include a WWW-Authenticate header
>> The 407 (Proxy Authentication Required) response message [...] MUST
>> include a Proxy-Authenticate header field
>> information necessary to authenticate a request MUST be provided in
>> the request
>> It MUST be included as part of a 407 (Proxy Authentication Required)
>> response.
>> It MUST be included in 401 (Unauthorized) response messages

Similar things can be said about these.

What you seem to ask for is information about what a proxy should do 
when it receives a message that already violates a MUST level 
requirement. That's somewhat orthogonal to the discussion about that 
constitutes a valid message.

I can see why guidelines would be good, but watering down the validity 
requirements doesn't seem to be the right approach.

> ...

Best regards, Julian