W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Mon, 02 Jul 2007 15:05:59 +0100
Message-ID: <46890647.1020801@isode.com>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

Henrik Nordstrom wrote:

>On Mon, 2007-07-02 at 12:22 +0100, Alexey Melnikov wrote:
>  
>
>>I don't think that the framework itself is broken. But one thing that 
>>needs to clarified is that authentication exchange using a new 
>>authentication mechanism X can use more than 1 roundtrip and use the 
>>same HTTP header for each authentication step. Many existing 
>>implementations are designed to expect data from the second round trip 
>>in another header (like in Digest).
>>    
>>
>My view on this:
>
>WWW-Authenticate is fine for 401. For additional information after
>successful (or failed) authentication and useful to verify the server
>identity or provide information to be used on the next authenticated
>request or other information about the outcome of the authentication
>request Authentication-Info is more suited, and it's presence should be
>declared as part of the framework and not just a by-product of Digest..
>  
>
Indeed, this is one way to clarify the framework.

>The format of Authentication-Info response header should be scheme
>specific, defined by the scheme used in the Authorization request
>header.
>  
>
Received on Monday, 2 July 2007 14:07:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT