W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 26 Jul 2011 02:38:37 +0200
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <r92s27l82b2b7mt8ta9te03vrg0rjslpa5@hive.bjoern.hoehrmann.de>
* Julian Reschke wrote:
>Maybe...:
>
>Use of the Authorization header to transfer credentials implies 
>"Cache-Control: private" [ref] and thus affects cacheability of 
>responses. Thus, definitions of new authentication schemes that do not 
>use "Authorization" will need to ensure that response messages do not 
>leak in an unintended way, for instance by specifying "Cache-Control" or 
>"Vary: *" [ref] explicitly.

This should refer to disclosure or something like that rather than leak-
age (you wouldn't design a protocol that intentionally leaks something),
and `Vary: *` strikes me as odd in this context (why, then, doesn't the
use of Authorization imply just `Vary: Authorization`, for instance).

I would rather say something along the lines that use of "Authorization"
implies that the message is confidential with respect to the credentials
provided in that header, meaning messages should be treated as if they
had `Cache-Control: private`, and that new schemes must take explicit
measures to ensure the confidentiality of messages, like using that same
header, because deployed servers are otherwise unaware of the semantics.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 26 July 2011 00:39:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT