W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: Comments on draft-oiwa-httpbis-auth-extension-00

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 14 Jun 2012 10:51:21 +0900
Message-ID: <CAMeZVwvGb0mr34vrYksWEf0pWqv7GiPfvKAnqdE+Gro+mbwNVg@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Dear Alexey,

Thank you very much.
Your comments are really valuable for me to improve the draft.

I'd like to answer immediately for the comment on optional
authentication design:

2012/6/11 Alexey Melnikov <alexey.melnikov@isode.com>:

> Optional authentication: is a new header field really needed or can this be already done using a 200 response containing a WWW-Authenticate header field? Was use of 200 with WWW-Authenticate tried and it didn't work with existing browsers?

As far as I know,

 * Until recently, validity for the use of WWW-Authenticate header in
200-response
    was unclear.  It was clarified in the discussion of httpbis and it
is now OK.
    (I designed the protocol before that.)

 * My design principle is that, clients not supporting optional authentication
    should ignore the request, so that Web site programmers can implement
    their own fallback mechanisms.

 * Someone in httpbis ML has checked for behavior of various browsers,
   and it will work (ignored) for all except one browser (forcibly
authenticate),
   I remember.

 * I want some consensus whether we can ignore this one case for the future,
   or we have to be conservative on that.

 * I like both approaches, so if people think the alternative is better,
   I'd like to migrate it.

 * We need some additional rules for making optional authentication
   with 200-status work (such as how the server will tell client about
   success/failure status of the authentication).
   I will research it and update the draft once the direction is decided.

-- 
Yutaka OIWA, Ph.D.              Leader, Software Reliability Research Group
                             Research Institute for Secure Systems (RISEC)
   National Institute of Advanced Industrial Science and Technology (AIST)
                     Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
Received on Thursday, 14 June 2012 01:52:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 14 June 2012 01:52:12 GMT