W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 26 Jul 2011 20:29:11 +0200
Message-ID: <4E2F0777.1040602@gmx.de>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2011-07-26 02:38, Bjoern Hoehrmann wrote:
> ...
> This should refer to disclosure or something like that rather than leak-
> age (you wouldn't design a protocol that intentionally leaks something),
> and `Vary: *` strikes me as odd in this context (why, then, doesn't the
> use of Authorization imply just `Vary: Authorization`, for instance).
>
> I would rather say something along the lines that use of "Authorization"
> implies that the message is confidential with respect to the credentials
> provided in that header, meaning messages should be treated as if they
> had `Cache-Control: private`, and that new schemes must take explicit
> measures to ensure the confidentiality of messages, like using that same
> header, because deployed servers are otherwise unaware of the semantics.
 > ...

Björn, thanks. To the point as always...

So:

"Use of the Authorization header to transfer credentials implies that 
the message is confidential with respect to the credentials provided in 
that header field, meaning response messages ought to be treated as if 
they had "Cache-Control: private", and that new authentication schemes 
will have to take explicit measure to ensure the confidentiality of 
messages, such as by using that very header, because deployed recipients 
are otherwise unaware of the semantics."

?
Received on Tuesday, 26 July 2011 18:29:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT