Henrik Nordstrom wrote: >On Mon, 2007-07-02 at 12:22 +0100, Alexey Melnikov wrote: > > >>I don't think that the framework itself is broken. But one thing that >>needs to clarified is that authentication exchange using a new >>authentication mechanism X can use more than 1 roundtrip and use the >>same HTTP header for each authentication step. Many existing >>implementations are designed to expect data from the second round trip >>in another header (like in Digest). >> >> >My view on this: > >WWW-Authenticate is fine for 401. For additional information after >successful (or failed) authentication and useful to verify the server >identity or provide information to be used on the next authenticated >request or other information about the outcome of the authentication >request Authentication-Info is more suited, and it's presence should be >declared as part of the framework and not just a by-product of Digest.. > > Indeed, this is one way to clarify the framework. >The format of Authentication-Info response header should be scheme >specific, defined by the scheme used in the Authorization request >header. > >Received on Monday, 2 July 2007 14:07:54 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 September 2008 03:48:57 GMT