CURRENT_MEETING_REPORT_ Reported by Ari Luotonen/Netscape Communications Corporation Minutes of the HyperText Transfer Protocol Working Group (HTTP) Objectives of the Meeting The objectives for the meeting were to: o Finalize the HTTP/1.0 draft, as the final version of it will be made available the following week. o Go through the extensions and decide which ones will be included in HTTP/1.1. o Get a status report on HTTP-NG. o Get a status report on the Digest Authentication Scheme. o Introduce Mediated Digest Authentication. HTTP-NG Status Report The new features added to the second checkpoint draft were briefly introduced: o Included the specification for initialization of the session; at initialization the level of synchronization is negotiated (among other things), as well as variables defined to be used later in that session. o Canceling and suspending a request. Suspending was added to make it possible to stop, e.g., image transfer if the user follows a link to another page, so that the transfer can be resumed later if the user returns to the original document (or if the next page contains the same image). o Two methods for retrieving documents: - Simple GET for the same level of functionality as HTTP/1.0 provides. - Full GET for receiving only a range of a document, metainformation, or a variant of the resource (different language, format, version). o HTTP-TOS request for allowing existing applications to send old-style requests, and to allow S-HTTP to work. HTTP/1.0 Roy Fielding and Henrik Frystyk will produce the final draft by the end of the following week. If that one does not have unresolved points, it will be submitted to the IESG, and may finally become the final HTTP/1.0 Standard. Mainly the suggested changes were quickly walked through: Accept: */* default q factor 0.5; understanding the asctime() Date: format only required by proxies; value of From: field is mailbox instead of addr-spec; and Location: is a valid header to give the new location in a redirect; use of the URI: header is not mandatory. Making Language: header hierarchical raised quite a bit of discussion. It was brought up that all the languages cannot be described hierarchically -- there are dialects of certain languages that are not understandably by people speaking another dialect of the same language (Saame was an example). HTTP/1.1 HTTP/1.1 will be published as an Internet-Draft before the Stockholm IETF meeting in July 1995. The following extensions to HTTP/1.1 were discussed: o Decided to have clients treat unknown 3xx series response codes by default as 302 redirect (moved temporarily). The Location: header should then be there, and if not, URI: should be used. This was the suggestion for having an automatable subset of HTML for handling 300 Multiple Choices and 406 None Acceptable status codes. Clients supporting this would capture this special format, and perform the function of selecting the best copy automatically. Clients not supporting this would display the HTML normally, which would construct an itemized list with hyperlinks to those multiple choices. This suggestion got resistance -- HTTP and HTML should not be bound together. Also, there are cases when HTML cannot be displayed, such as when retrieving inlined images. It was then suggested that these multiple choices be provided as HTTP header fields. The argument there was that the headers are flat, and there are problems providing lists of choices. The conclusion was that the Location: header be the default place to redirect temporarily. o Orig-URI: for expressing the entire URL that initiated this request, so that the hostname is also available to the server. It was brought up that this will not be backwards compatible, and that behavior is now different with browsers that do not support this. This is the vanity hostname issue, which has been so far solved by having servers respond to multiple IP addresses, which wastes resources. However, service providers are so desperate that they are in fact willing to accept a partial solution which will not work with old browsers. o Connection: and Keep-Alive: for support for multiple requests over a single connection. o Refresh: header for client-pull. o Proxy-Authenticate: and Proxy-Authorization: for user authentication for proxies, just like in HTTP/1.0. o Changes to headers: allow HTTP Date to use +0000 to indicate GMT; extend Pragma: header; make Expires: accept delta-seconds. o Two new methods: OPTIONS for getting allowed methods, and MULTI for allowing session-long negotiation of Accept-* headers, authentication and privacy extensions. o Digest authentication scheme (discussed later in the meeting). Extensions for HTTP Dave Kristol briefly described his view of the framework for the extensions. The Internet-Draft for this proposal is draft-kristol-http-extensions-00.txt. Basically, to use wrapping, packetizing and recursion to handle messages, to have a small yet relatively versatile system for security, payment information, packetizing and compression. Digest Authentication Scheme Eric Sink gave a status report on the Digest Authentication Scheme. The latest Internet-Draft is available as draft-ietf-http-digest-aa-01.txt. The possibility for a man-in-the-middle attack that used to exist in the previous version has been removed. Also, message integrity check is now available as an option. Mediated Digest Authentication Dave Raggett has submitted an Internet-Draft, draft-ietf-http-mda-00.txt, on Mediated Digest Authentication scheme that uses a trusted third party to authenticate both the client and the server. This scheme is a strict superset of the Digest Authentication Scheme.