W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: HTTP status code for "Password Expired"?

From: David - Morris <dwm@shell.portal.com>
Date: Fri, 12 May 1995 10:23:13 -0700 (PDT)
To: http working group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <Pine.SUN.3.90.950512100825.7533F-100000@jobe.shell.portal.com>


On Wed, 10 May 1995, Roy T. Fielding wrote:

> should be some form of "Authorization Refused", but we seem to be lacking
> one of those.  Do we need one?

Password expired is certainly a specific case where we can anticipate
that UA might desire to interpret the error and enter into a local
dialog with the user to obtain a new value. Though a general 
"Authorization Refused: Expired" rather than specific "password expired"
would seen appropriate.  It may be that a certificate  from a trusted
source has expired and the UA might simply obtain a new certificate.

For discussion, let me sugggest a few reason codes which might result
in UA action:
    expired -- as above
    unknown user         : user is not known - some non UNIX systems 
                           differentiate between user and password error
    unknown authority    : certificate authority is unknown, etc.
    invalid              : combination ... typical UNIX login refusal 
    invalid password                  
    resources exhausted  : for example insufficient funds
    use count limit      : a certificate might allow 1 or limited uses
                           (like a movie theatre ticket or permission to 
                           copy)
In general, I would hope a UA would lead the user thru the resolution
or even provide the resolution.

Dave Morris
Received on Friday, 12 May 1995 10:25:48 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:21 EDT