On Sep 22, 2009, at 10:24 AM, Eran Hammer-Lahav wrote: >> -----Original Message----- >> From: Roy T. Fielding [mailto:fielding@gbiv.com] >> Sent: Tuesday, September 22, 2009 10:09 AM > >> Just follow the HTTP spec. > > That what I am trying to figure out... > > Does the HTTP spec mandates that new authentication protocols use > the WWW-Authenticate and Authorization headers? HTTP is not aware of any other kinds of authentication. There is no reason to specify anything else. > Are the headers required for existing caches and servers to operate > properly? Yes (and for user agents as well). Don't forget about Proxy-Auth*. > If they are not included in authenticated requests, are there other > requirements to make sure it doesn't break existing deployment? Cache-control: private is probably needed if the Auth headers are not being used but the response depends on something like cookies for authentication. ....RoyReceived on Tuesday, 22 September 2009 17:48:37 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:39 GMT