W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: Review of draft-ietf-httpbis-p7-auth-19.txt

From: Adrien W. de Croy <adrien@qbik.com>
Date: Tue, 08 May 2012 21:59:11 +0000
To: "Alexey Melnikov" <alexey.melnikov@isode.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <emc5308c76-bd12-43e2-9a94-04e0614a24cf@boist>

------ Original Message ------
From: "Alexey Melnikov" <alexey.melnikov@isode.com>
To: "HTTP Working Group" <ietf-http-wg@w3.org>
Sent: 9/05/2012 7:59:04 a.m.
Subject: Review of draft-ietf-httpbis-p7-auth-19.txt
>   If the origin server does not wish to accept the credentials sent 
>   with a request, it SHOULD return a 401 (Unauthorized) response. The 
>   response MUST include a WWW-Authenticate header field containing at 
>   least one (possibly new) challenge applicable to the requested 
>   resource. 
>
>   If a proxy does not accept the credentials sent with a request, it 
>   SHOULD return a 407 (Proxy Authentication Required). The response 
>   MUST include a Proxy-Authenticate header field containing a 
>(possibly 
>   new) challenge applicable to the proxy for the requested resource. 
>
>I think this is a bit misleading. Can an authentication exchange 
>include 
>more than one round trip? I think you need to be explicit one way or 
>another. (If it can, then "does not accept" is not necessarily 
>correct.) 
>
>
NTLM has several.

Also I don't think HTTP should be specifying what should be policy 
decisions for a system operator.
  
A server should be free to decide that it doesn't wish to offer the 
client another attempt to supply credentials (e.g. send a 403 back).  
So the above paragraphs should be put in the context of only where the 
server does wish to offer this option.
  
Adrien

  
> 
Received on Tuesday, 8 May 2012 21:59:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 May 2012 21:59:48 GMT