W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC #357: Authentication Exchanges

From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Fri, 29 Jun 2012 16:52:58 +0100
Message-ID: <4FEDCF5A.80605@isode.com>
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Hi Mark,

On 20/06/2012 03:04, Mark Nottingham wrote:
> Looking at this, I think this language in the spec isn't very good for other reasons as well:
>
>> If the origin server does not wish to accept the credentials sent with a request, it should return a 401 (Unauthorized) response. The responsemust include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource.
>>
>> If a proxy does not accept the credentials sent with a request, it should return a 407 (Proxy Authentication Required) response. The responsemust include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy for the requested resource.
> Because "accept" can be read in so many ways. I think we can fix both problems with something like:
>
> """
> Requests for protected resources that omit credentials, contain invalid credentials (e.g., a bad password), or partial credentials (e.g., when the scheme requires more than one round trip) SHOULD return a 401 (Unauthorized) response. Such responses MUST include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource.
>
> Likewise, requests that require authentication by proxies that omit credentials, or contain invalid or partial credentials SHOULD return a 407 (Proxy Authentication Required) response. The response MUST include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy.
> """
>
> Thoughts?

This reads better, yes.
Received on Friday, 29 June 2012 15:53:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 29 June 2012 15:53:37 GMT