W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Wed, 27 Jul 2011 04:53:36 +0900
Message-ID: <CAL8DUN9h1o_G19gD1=p_wCRbROaEaiy2xfSW4a7=7BTeiYA5DQ@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Thanks,

2011/7/27 Mark Nottingham <mnot@mnot.net>:
> On 26/07/2011, at 9:15 AM, Yutaka OIWA wrote:
>
>>> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
>>
>> Just for confirmation:
>> I remember we had some discussion about this years ago.
>> This change will break SPNEGO (see RFC 4559, Sec. 5)
>> and other other authentication schemes which uses
>> WWW-Authenticate on 200 as a carrier for authentication
>> exchanges, instead of Authentication-Info.
>> Is this incompatible change OK?
>> (I prefer this direction, though.)
>
> Well, RFC4559 is already broken, because it makes assumptions about the relationship between messages in a connection.
>
> Regardless, I think we can word it in such a way that Negotiate isn't any more broken; people already know that they need to handle it differently.

I see, then I agree on your proposal.

Does anyone have a list of HTTP authentication schemes
(either RFC-defined of de-fact deployed) so that we can check
the whole list of to-be-differently-handled schemes?
If there is such a list, I (we) can work on making such checklist.
(unless it has 50 or 100 entries :-))
Received on Tuesday, 26 July 2011 19:54:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT