W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: Comments on draft-oiwa-httpbis-auth-extension-00

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 14 Jun 2012 10:51:21 +0900
Message-ID: <CAMeZVwvGb0mr34vrYksWEf0pWqv7GiPfvKAnqdE+Gro+mbwNVg@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Dear Alexey,

Thank you very much.
Your comments are really valuable for me to improve the draft.

I'd like to answer immediately for the comment on optional
authentication design:

2012/6/11 Alexey Melnikov <alexey.melnikov@isode.com>:

> Optional authentication: is a new header field really needed or can this be already done using a 200 response containing a WWW-Authenticate header field? Was use of 200 with WWW-Authenticate tried and it didn't work with existing browsers?

As far as I know,

 * Until recently, validity for the use of WWW-Authenticate header in
    was unclear.  It was clarified in the discussion of httpbis and it
is now OK.
    (I designed the protocol before that.)

 * My design principle is that, clients not supporting optional authentication
    should ignore the request, so that Web site programmers can implement
    their own fallback mechanisms.

 * Someone in httpbis ML has checked for behavior of various browsers,
   and it will work (ignored) for all except one browser (forcibly
   I remember.

 * I want some consensus whether we can ignore this one case for the future,
   or we have to be conservative on that.

 * I like both approaches, so if people think the alternative is better,
   I'd like to migrate it.

 * We need some additional rules for making optional authentication
   with 200-status work (such as how the server will tell client about
   success/failure status of the authentication).
   I will research it and update the draft once the direction is decided.

Yutaka OIWA, Ph.D.              Leader, Software Reliability Research Group
                             Research Institute for Secure Systems (RISEC)
   National Institute of Advanced Industrial Science and Technology (AIST)
                     Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
Received on Thursday, 14 June 2012 01:52:06 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:52 UTC