CURRENT_MEETING_REPORT_

Reported by Ari Luotonen/Netscape Communications Corporation

Minutes of the HyperText Transfer Protocol Working Group (HTTP)


Objectives of the Meeting

The objectives for the meeting were to:


   o Finalize the HTTP/1.0 draft, as the final version of it will be
     made available the following week.

   o Go through the extensions and decide which ones will be included in
     HTTP/1.1.

   o Get a status report on HTTP-NG.

   o Get a status report on the Digest Authentication Scheme.

   o Introduce Mediated Digest Authentication.


HTTP-NG Status Report

The new features added to the second checkpoint draft were briefly
introduced:


   o Included the specification for initialization of the session; at
     initialization the level of synchronization is negotiated (among
     other things), as well as variables defined to be used later in
     that session.

   o Canceling and suspending a request.  Suspending was added to make
     it possible to stop, e.g., image transfer if the user follows a
     link to another page, so that the transfer can be resumed later if
     the user returns to the original document (or if the next page
     contains the same image).

   o Two methods for retrieving documents:

      -  Simple GET for the same level of functionality as HTTP/1.0
         provides.

      -  Full GET for receiving only a range of a document,
         metainformation, or a variant of the resource (different
         language, format, version).

   o HTTP-TOS request for allowing existing applications to send
     old-style requests, and to allow S-HTTP to work.


HTTP/1.0

Roy Fielding and Henrik Frystyk will produce the final draft by the end
of the following week.  If that one does not have unresolved points, it
will be submitted to the IESG, and may finally become the final HTTP/1.0
Standard.

Mainly the suggested changes were quickly walked through:  Accept:  */*
default q factor 0.5; understanding the asctime() Date:  format only
required by proxies; value of From:  field is mailbox instead of
addr-spec; and Location:  is a valid header to give the new location in
a redirect; use of the URI: header is not mandatory.

Making Language:  header hierarchical raised quite a bit of discussion.
It was brought up that all the languages cannot be described
hierarchically -- there are dialects of certain languages that are not
understandably by people speaking another dialect of the same language
(Saame was an example).


HTTP/1.1

HTTP/1.1 will be published as an Internet-Draft before the Stockholm
IETF meeting in July 1995.

The following extensions to HTTP/1.1 were discussed:


   o Decided to have clients treat unknown 3xx series response codes by
     default as 302 redirect (moved temporarily).  The Location:  header
     should then be there, and if not, URI: should be used.

     This was the suggestion for having an automatable subset of HTML
     for handling 300 Multiple Choices and 406 None Acceptable status
     codes.  Clients supporting this would capture this special format,
     and perform the function of selecting the best copy automatically.
     Clients not supporting this would display the HTML normally, which
     would construct an itemized list with hyperlinks to those multiple
     choices.

     This suggestion got resistance -- HTTP and HTML should not be bound
     together.  Also, there are cases when HTML cannot be displayed,
     such as when retrieving inlined images.

     It was then suggested that these multiple choices be provided as
     HTTP header fields.  The argument there was that the headers are
     flat, and there are problems providing lists of choices.

     The conclusion was that the Location:  header be the default place
     to redirect temporarily.

   o Orig-URI: for expressing the entire URL that initiated this
     request, so that the hostname is also available to the server.  It
     was brought up that this will not be backwards compatible, and that
     behavior is now different with browsers that do not support this.
     This is the vanity hostname issue, which has been so far solved by
     having servers respond to multiple IP addresses, which wastes
     resources.  However, service providers are so desperate that they
     are in fact willing to accept a partial solution which will not
     work with old browsers.

   o Connection:  and Keep-Alive:  for support for multiple requests
     over a single connection.

   o Refresh:  header for client-pull.

   o Proxy-Authenticate:  and Proxy-Authorization:  for user
     authentication for proxies, just like in HTTP/1.0.

   o Changes to headers:  allow HTTP Date to use +0000 to indicate GMT;
     extend Pragma:  header; make Expires:  accept delta-seconds.

   o Two new methods:  OPTIONS for getting allowed methods, and MULTI
     for allowing session-long negotiation of Accept-* headers,
     authentication and privacy extensions.

   o Digest authentication scheme (discussed later in the meeting).



Extensions for HTTP

Dave Kristol briefly described his view of the framework for the
extensions.  The Internet-Draft for this proposal is
draft-kristol-http-extensions-00.txt.  Basically, to use wrapping,
packetizing and recursion to handle messages, to have a small yet
relatively versatile system for security, payment information,
packetizing and compression.



Digest Authentication Scheme

Eric Sink gave a status report on the Digest Authentication Scheme.  The
latest Internet-Draft is available as draft-ietf-http-digest-aa-01.txt.

The possibility for a man-in-the-middle attack that used to exist in the
previous version has been removed.  Also, message integrity check is now
available as an option.



Mediated Digest Authentication

Dave Raggett has submitted an Internet-Draft,
draft-ietf-http-mda-00.txt, on Mediated Digest Authentication scheme
that uses a trusted third party to authenticate both the client and the
server.  This scheme is a strict superset of the Digest Authentication
Scheme.