On Mon, 11 Sep 2000, Hirohiko Nakano wrote:
> At first, I had a plan to use Authentication-Info header defined in DA authentication spec.
> But Squid does not support it, so I checked Http specs in order to chose a suitable header for my purpose.
>
> By the way, Squid will support DA auth in the future?
>
> If Squid supports DA auth in the future, I think that the same problem would occur.
>
> DA auth uses a nonce to reject old (replay attack) requests.
> Authentication-Info header includes next-nonce value to update the nonce value which a client uses.
>
> If server cannot send Authentication-Info header in 304 response, squid sends a stale nonce stored
> in cache to a client.
> Cache-hit is an unhappy event for DA auth?
>
> I think that 304HTTP response can include Authentication-Info header.
> I think that Authentication-Info header MUST be passed through by a proxy.
Protocols and real-world implementations often differ substantially,
especially when a protocol is as complex and ambiguous as HTTP. I can
only suggest not to rely on subtle features of the protocol and
implement whatever you need "on top" of HTTP. While it may require more
work, the result may be a much more robust product/feature. Otherwise,
you may end up struggling with all the different
caches/accelerators/surrogates that do not interpret/implement HTTP the
way you do (regardless of whether your interpretation is correct!).
$0.02,
Alex.
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Mon Sep 11 2000 - 08:49:04 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:14 MST