Reported by Ari Luotonen/Netscape Communications Corporation
Minutes of the HyperText Transfer Protocol Working Group (HTTP)
Objectives of the Meeting
The objectives for the meeting were to:
o Finalize the HTTP/1.0 draft, as the final version of it will be
made available the following week.
o Go through the extensions and decide which ones will be included in
HTTP/1.1.
o Get a status report on HTTP-NG.
o Get a status report on the Digest Authentication Scheme.
o Introduce Mediated Digest Authentication.
HTTP-NG Status Report
The new features added to the second checkpoint draft were briefly
introduced:
o Included the specification for initialization of the session; at
initialization the level of synchronization is negotiated (among
other things), as well as variables defined to be used later in
that session.
o Canceling and suspending a request. Suspending was added to make
it possible to stop, e.g., image transfer if the user follows a
link to another page, so that the transfer can be resumed later if
the user returns to the original document (or if the next page
contains the same image).
o Two methods for retrieving documents:
- Simple GET for the same level of functionality as HTTP/1.0
provides.
- Full GET for receiving only a range of a document,
metainformation, or a variant of the resource (different
language, format, version).
o HTTP-TOS request for allowing existing applications to send
old-style requests, and to allow S-HTTP to work.
HTTP/1.0
Roy Fielding and Henrik Frystyk will produce the final draft by the end
of the following week. If that one does not have unresolved points, it
will be submitted to the IESG, and may finally become the final HTTP/1.0
Standard.
Mainly the suggested changes were quickly walked through: Accept: */*
default q factor 0.5; understanding the asctime() Date: format only
required by proxies; value of From: field is mailbox instead of
addr-spec; and Location: is a valid header to give the new location in
a redirect; use of the URI: header is not mandatory.
Making Language: header hierarchical raised quite a bit of discussion.
It was brought up that all the languages cannot be described
hierarchically -- there are dialects of certain languages that are not
understandably by people speaking another dialect of the same language
(Saame was an example).
HTTP/1.1
HTTP/1.1 will be published as an Internet-Draft before the Stockholm
IETF meeting in July 1995.
The following extensions to HTTP/1.1 were discussed:
o Decided to have clients treat unknown 3xx series response codes by
default as 302 redirect (moved temporarily). The Location: header
should then be there, and if not, URI: should be used.
This was the suggestion for having an automatable subset of HTML
for handling 300 Multiple Choices and 406 None Acceptable status
codes. Clients supporting this would capture this special format,
and perform the function of selecting the best copy automatically.
Clients not supporting this would display the HTML normally, which
would construct an itemized list with hyperlinks to those multiple
choices.
This suggestion got resistance -- HTTP and HTML should not be bound
together. Also, there are cases when HTML cannot be displayed,
such as when retrieving inlined images.
It was then suggested that these multiple choices be provided as
HTTP header fields. The argument there was that the headers are
flat, and there are problems providing lists of choices.
The conclusion was that the Location: header be the default place
to redirect temporarily.
o Orig-URI: for expressing the entire URL that initiated this
request, so that the hostname is also available to the server. It
was brought up that this will not be backwards compatible, and that
behavior is now different with browsers that do not support this.
This is the vanity hostname issue, which has been so far solved by
having servers respond to multiple IP addresses, which wastes
resources. However, service providers are so desperate that they
are in fact willing to accept a partial solution which will not
work with old browsers.
o Connection: and Keep-Alive: for support for multiple requests
over a single connection.
o Refresh: header for client-pull.
o Proxy-Authenticate: and Proxy-Authorization: for user
authentication for proxies, just like in HTTP/1.0.
o Changes to headers: allow HTTP Date to use +0000 to indicate GMT;
extend Pragma: header; make Expires: accept delta-seconds.
o Two new methods: OPTIONS for getting allowed methods, and MULTI
for allowing session-long negotiation of Accept-* headers,
authentication and privacy extensions.
o Digest authentication scheme (discussed later in the meeting).
Extensions for HTTP
Dave Kristol briefly described his view of the framework for the
extensions. The Internet-Draft for this proposal is
draft-kristol-http-extensions-00.txt. Basically, to use wrapping,
packetizing and recursion to handle messages, to have a small yet
relatively versatile system for security, payment information,
packetizing and compression.
Digest Authentication Scheme
Eric Sink gave a status report on the Digest Authentication Scheme. The
latest Internet-Draft is available as draft-ietf-http-digest-aa-01.txt.
The possibility for a man-in-the-middle attack that used to exist in the
previous version has been removed. Also, message integrity check is now
available as an option.
Mediated Digest Authentication
Dave Raggett has submitted an Internet-Draft,
draft-ietf-http-mda-00.txt, on Mediated Digest Authentication scheme
that uses a trusted third party to authenticate both the client and the
server. This scheme is a strict superset of the Digest Authentication
Scheme.
