Minutes of IETF Meetings




Reported by Ari Luotonen/Netscape Communications Corporation

Minutes of the HyperText Transfer Protocol Working Group (HTTP)


Objectives of the Meeting

The objectives for the meeting were to:

o Finalize the HTTP/1.0 draft, as the final version of it will be  made available the following week.

o Go through the extensions and decide which ones will be included in  HTTP/1.1.

o Get a status report on HTTP-NG.

o Get a status report on the Digest Authentication Scheme.

o Introduce Mediated Digest Authentication.



HTTP-NG Status Report

The new features added to the second checkpoint draft were briefly introduced:

o Included the specification for initialization of the session; at  initialization the level of synchronization is negotiated (among  other things), as well as variables defined to be used later in  that session.

o Canceling and suspending a request. Suspending was added to make  it possible to stop, e.g., image transfer if the user follows a  link to another page, so that the transfer can be resumed later if  the user returns to the original document (or if the next page  contains the same image).

o Two methods for retrieving documents:

- Simple GET for the same level of functionality as HTTP/1.0 provides.

- Full GET for receiving only a range of a document,  metainformation, or a variant of the resource (different  language, format, version).


o HTTP-TOS request for allowing existing applications to send  old-style requests, and to allow S-HTTP to work.



Roy Fielding and Henrik Frystyk will produce the final draft by the end of the following week. If that one does not have unresolved points, it will be submitted to the IESG, and may finally become the final HTTP/1.0 Standard.

Mainly the suggested changes were quickly walked through: Accept: */* default q factor 0.5; understanding the asctime() Date: format only required by proxies; value of From: field is mailbox instead of addr-spec; and Location: is a valid header to give the new location in a redirect; use of the URI: header is not mandatory.

Making Language: header hierarchical raised quite a bit of discussion. It was brought up that all the languages cannot be described hierarchically -- there are dialects of certain languages that are not understandably by people speaking another dialect of the same language (Saame was an example).



HTTP/1.1 will be published as an Internet-Draft before the Stockholm IETF meeting in July 1995.

The following extensions to HTTP/1.1 were discussed:

o Decided to have clients treat unknown 3xx series response codes by  default as 302 redirect (moved temporarily). The Location: header  should then be there, and if not, URI: should be used.

This was the suggestion for having an automatable subset of HTML  for handling 300 Multiple Choices and 406 None Acceptable status  codes. Clients supporting this would capture this special format,  and perform the function of selecting the best copy automatically.  Clients not supporting this would display the HTML normally, which  would construct an itemized list with hyperlinks to those multiple  choices.

This suggestion got resistance -- HTTP and HTML should not be bound  together. Also, there are cases when HTML cannot be displayed,  such as when retrieving inlined images.

It was then suggested that these multiple choices be provided as  HTTP header fields. The argument there was that the headers are  flat, and there are problems providing lists of choices. 

The conclusion was that the Location: header be the default place  to redirect temporarily.

o Orig-URI: for expressing the entire URL that initiated this  request, so that the hostname is also available to the server. It  was brought up that this will not be backwards compatible, and that  behavior is now different with browsers that do not support this.  This is the vanity hostname issue, which has been so far solved by  having servers respond to multiple IP addresses, which wastes  resources. However, service providers are so desperate that they  are in fact willing to accept a partial solution which will not  work with old browsers.

o Connection: and Keep-Alive: for support for multiple requests  over a single connection.

o Refresh: header for client-pull.

o Proxy-Authenticate: and Proxy-Authorization: for user  authentication for proxies, just like in HTTP/1.0.

o Changes to headers: allow HTTP Date to use +0000 to indicate GMT;  extend Pragma: header; make Expires: accept delta-seconds.

o Two new methods: OPTIONS for getting allowed methods, and MULTI  for allowing session-long negotiation of Accept-* headers,  authentication and privacy extensions.

o Digest authentication scheme (discussed later in the meeting).



Extensions for HTTP

Dave Kristol briefly described his view of the framework for the extensions. The Internet-Draft for this proposal is draft-kristol-http-extensions-00.txt. Basically, to use wrapping, packetizing and recursion to handle messages, to have a small yet relatively versatile system for security, payment information, packetizing and compression.


Digest Authentication Scheme

Eric Sink gave a status report on the Digest Authentication Scheme. The latest Internet-Draft is available as draft-ietf-http-digest-aa-01.txt.

The possibility for a man-in-the-middle attack that used to exist in the previous version has been removed. Also, message integrity check is now available as an option.


Mediated Digest Authentication

Dave Raggett has submitted an Internet-Draft, draft-ietf-http-mda-00.txt, on Mediated Digest Authentication scheme that uses a trusted third party to authenticate both the client and the server. This scheme is a strict superset of the Digest Authentication Scheme.


Formatted to HTML by 4ba2 Group6, Dec 96