On 7/5/06, John Panzer <[EMAIL PROTECTED]> wrote:
Comments inline. These are all from the perspective of interoperability.
James M Snell wrote on 7/5/2006, 1:51 PM:
> == Proposal ==
>
> {{{
> 12. Security Considerations
>
> 12.1 Authentication
>
> Implementors are advised to use client authentication mechanisms to
> prevent posting or editing by unknown or unauthorized sources. The type
> of authentication used is a local decision made by the server.
> Accordingly, clients are likely to face authentication schemes that vary
> across implementations.
+1 to the wording above. In addition, I'd really like to see a
reference to RFC 2617 (HTTP Authentication[1]) which defines a standard
framework for authentication negotiation as well as the specific scheme
mentioned below.
Reasoning: At least one Atom client in the wild today doesn't follow
RFC 2617 even to the extent of understanding an 401 Unauthorized
response. The GData protocol doesn't use RFC 2617's WWW-Authenticate:
header (AFAIK).
I think a 2617 reference would be appropriate and useful. The
authentication model associated with GData services does follow the
2617 Access Authentication Framework (issues WWW-Authenticate response
challenges, expects corresponding Authorization request headers w/
token info, etc).
-- Kyle
