Re: NTLM question

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 22 Aug 2001 02:43:53 +0200

Robert Collins wrote:

> SHOULD, in my book is an expectation. Squid can _expect_ that HTTP/1.1
> proxies will follow SHOULD recommendations, but we cannot _require_ it.
> I think I placed my (untrue) in a confusing lcoation though - sorry.

A HTTP/1.1 compliant proxy must implement all SHOULD..

A conditionally compliant proxy may violate a SHOULD if properly documented.

> > It is the "child" proxy responsibility to log in to the "parent", not the end
> > users/browsers. How this is done is up to the implementation of the
> > "child" proxy.
>
> There is also a MAY in HTTP/1.1 that allows proxies to cooperate by
> passing the users credentials around.

Not really. HTTP/1.1 does not care how the child finds the users credentials. This
is application defined.

It is trye that the proxy MAY relay the user credentials as part of the
application defined process of finding the credentials required to log in to the
parent proxy, but this is not the same as forwarding the
Proxy-Authenticate/Proxy-Authorize headers.

Yes, the borderline in terminology and functionality is very thin, but still quite
distinct.

> The problem is that with NTLM that
> cannot work until we are able to choose the challenge the DC will use.
> At that point we could get squid to cooperate in such a fashion -
> although it would be somewhat messy. (And that is gatewayed on
> conenction pinning).

True.

And HTTP/1.1 does not care if the proxy is relaying NTLM authentication as long as
is doing just that and not simply forwarding the
Proxy-Authenticate/Proxy-Authorization headers.

--
Henrik
Received on Tue Aug 21 2001 - 18:47:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:14 MST