[MERGE] Authentication Ring spec

[Robert Collins]

On Fri, 2007-07-27 at 15:58 -0500, Martin Pool wrote:
> 
> 
> > [.netrc will be ignored]
> 
> I think this is just because it would be complex to have two possible
> mechanisms to do the same thing?  Users might configure one and be
> confused that it doesn't take effect.

.netrc is however an existing standard that users use with other tools.
I think we really should support it.

> Something else I was talking about with John (a bit off topic for this
> spec):
> 
> For http, it's probably best to initially connect without giving
> credentials and see if the server says "must authenticate".  Then we
> can
> send back the username and password and continue using them for this
> session.  I think this is the intended use of the protocol, and this
> tells
> us the realm and the acceptable authentication mechanisms.  If a
> username
> is given in the url we should probably authenticate unilaterally. 

In a technical sense you can never authenticate unilaterally with http:
plain text is not guaranteed to be accepted as an authentication scheme,
is recommended against except when https is in use, and rfc2617 digest
auth requires a challenge nonce to authenticate, which is supplied in
access denied responses. What you can and should do when you want to
authenticate but don't know how is try to perform your request, get
denied, and then handle that. If you don't get denied but really want to
do auth, try some unsupported authentication scheme to prompt
negotiation.

-Rob

-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20070728/b8caa2a0/attachment.pgp