W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Mon, 02 Jul 2007 15:05:59 +0100
Message-ID: <46890647.1020801@isode.com>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

Henrik Nordstrom wrote:

>On Mon, 2007-07-02 at 12:22 +0100, Alexey Melnikov wrote:
>>I don't think that the framework itself is broken. But one thing that 
>>needs to clarified is that authentication exchange using a new 
>>authentication mechanism X can use more than 1 roundtrip and use the 
>>same HTTP header for each authentication step. Many existing 
>>implementations are designed to expect data from the second round trip 
>>in another header (like in Digest).
>My view on this:
>WWW-Authenticate is fine for 401. For additional information after
>successful (or failed) authentication and useful to verify the server
>identity or provide information to be used on the next authenticated
>request or other information about the outcome of the authentication
>request Authentication-Info is more suited, and it's presence should be
>declared as part of the framework and not just a by-product of Digest..
Indeed, this is one way to clarify the framework.

>The format of Authentication-Info response header should be scheme
>specific, defined by the scheme used in the Authorization request
Received on Monday, 2 July 2007 14:07:54 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:23 UTC