[MERGE] Authentication Ring spec

Martin Pool mbp at sourcefrog.net
Mon Jul 30 17:42:32 BST 2007


On 7/27/07, Robert Collins <robertc at robertcollins.net> wrote:
> On Fri, 2007-07-27 at 15:58 -0500, Martin Pool wrote:
> > > [.netrc will be ignored]
> >
> > I think this is just because it would be complex to have two possible
> > mechanisms to do the same thing?  Users might configure one and be
> > confused that it doesn't take effect.
>
> .netrc is however an existing standard that users use with other tools.
> I think we really should support it.

OK, so maybe this spec should be updated to '.netrc is not considered
by this spec'.  I don't think we need to do it as part of this work,
and we can later allow it to be read either before or after.  (I would
suggest after, so that when we write we always do it to our own file.)
 vila, could you put that in the file if it's acceptable to you?

> In a technical sense you can never authenticate unilaterally with http:
> plain text is not guaranteed to be accepted as an authentication scheme,
> is recommended against except when https is in use, and rfc2617 digest
> auth requires a challenge nonce to authenticate, which is supplied in
> access denied responses. What you can and should do when you want to
> authenticate but don't know how is try to perform your request, get
> denied, and then handle that. If you don't get denied but really want to
> do auth, try some unsupported authentication scheme to prompt
> negotiation.

The last of those is what I meant we should do when a username is
explicitly given.  Probably not a big deal.

-- 
Martin



More information about the bazaar mailing list