Hi,
I am forwarding a message from Scott Lawrence on the proposal for a new
optional operation to invoke challenges (Issue 2 in Tom's list).
Carl-Uno
-----Original Message-----
From: Scott Lawrence [mailto:lawrence at agranat.com]
Sent: Monday, March 22, 1999 2:01 PM
To: Manros, Carl-Uno B
Subject: RE: IPP> MOD - Proposed new functionality for clients to invoke
HTTP security
> 2) ADDITION: We would like to add another operation that forces
> the server to generate a 401 authentication challenge.
> This is very useful for a client to be able to get into identified mode as
> soon as possible. Today you have to wait to be challenged by the server,
> which may never happen - or happens at an unpredictable time. Unless
> somebody has a different solution.
There are two cases: basic and digest.
For basic, all you need is the realm name, or to configure the client to
send a username and password unsolicited. There's no rule against doing
that in HTTP, so it's fine.
For digest, you can't do anything until you get a specific challenge from
the server, which you could get at any request including the first one.
There's no value in letting the client know that the challenge is coming -
you can't act on it without the nonce in the challenge anyway.
Given that basic is not interesting to the IESG (to put it in the best
possible light), I think the point is moot.