-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTODO
36 lines (25 loc) · 1.12 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Self:
+ Check if "realm" is needed in the Final 200 Response to fulfil other specs
+ Change userview= into httpuser= and SASL_USERVIEW into HTTP_USER
+ Push httpuser= and HTTP_USER out to draft-vanrein-http-unauth-user
+ Remove HTTP_USER in favour of the independently proposed User: header
Daniel Stenberg <daniel@haxx.se> wrote:
DONE:
> 1. RFC2616 is dead, refer to RFC 723X specs instead
*Oops* -- will fix that.
DONE:
> 2. I would really like to see protocol examples in the spec that
> better explains the flows. I couldn't understand it without reading
> the blog post -
> that features such examples.
Fair enough, will do that.
DONE:
> 3. The mandatory 403 when not authenticated seems unorthodox. Regular
> HTTP auth returns 401 (or 407 for proxy) when not authenticated.
Indeed. I was confused by the required inclusion of a challenge, but
didn't know the client recognised a repeat. Will fix.
DONE:
> 4. Section 3 wrongly states that Basic and Digest auth uses usernames
> in URIs. They didn't and don't. They speak of user names but they
> don't (have to) come from the URI.
Agreed, what I said is indeed browser behaviour.