W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Mon, 02 Jul 2007 15:57:24 +0200
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1183384644.20842.16.camel@henriknordstrom.net>
On Mon, 2007-07-02 at 12:22 +0100, Alexey Melnikov wrote:

> I don't think that the framework itself is broken. But one thing that 
> needs to clarified is that authentication exchange using a new 
> authentication mechanism X can use more than 1 roundtrip and use the 
> same HTTP header for each authentication step. Many existing 
> implementations are designed to expect data from the second round trip 
> in another header (like in Digest).

My view on this:

WWW-Authenticate is fine for 401. For additional information after
successful (or failed) authentication and useful to verify the server
identity or provide information to be used on the next authenticated
request or other information about the outcome of the authentication
request Authentication-Info is more suited, and it's presence should be
declared as part of the framework and not just a by-product of Digest..

The format of Authentication-Info response header should be scheme
specific, defined by the scheme used in the Authorization request
header.

Regards
Henrik

Received on Monday, 2 July 2007 13:57:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT