Re: Working Group Last Call: draft-ietf-httpbis-auth-info from Julian Reschke on 2015-02-11 (ietf-http-wg@w3.org from January to March 2015)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 11 Feb 2015 09:54:52 +0100
To: Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <54DB18DC.3000406@gmx.de>

On 2015-02-11 01:36, Bjoern Hoehrmann wrote:
> * Mark Nottingham wrote:
>> Julian believes (with his editor hat on) that this is ready. As
>> discussed, this is a simple document to pull the Authentication-Info and
>> Proxy-Authentication-Info header fields out of 2617, so that they’re not
>> associated with a particular authentication scheme (thereby avoiding
>> lots of scheme-specific headers).
>>
>> Therefore, this is the announcement of WGLC for:
>> https://tools.ietf.org/html/draft-ietf-httpbis-auth-info-02
>>
>> Please review the document carefully, and comment on this list.
>
> This revision does not address my previous comments. It basically just

I see one email that I did not reply to in 
<https://lists.w3.org/Archives/Public/ietf-http-wg/2015JanMar/0355.html>, where 
you say:

"A possible starting point would be to explain whether, how, and why it
is better to use an authentication scheme independent header to specify
authentication scheme specific parameters. If it's pretty much always
better to use `Authentication-Info` then there probably should be some
SHOULD-level requirement to use it somewhere."

I think it's evident why it's better: you don't need to define a new 
header field. Is this worth calling out?

Also, just because it's better doesn't necessarily imply that there is a 
requirement to use it in new schemes. At least, there was no such 
requirement before.

> contains the idea that the `Authentication-Info` header could possibly
> be used for other purposes than what it has already been defined for.

It has been defined for DIGEST previously. The only change is a 
clarification that other schemes can use it as well, and we have two 
authors of new schemes who intend to use it.

> Without further information it is an entirely redundant level of indi-
> rection for hypothetical future specifications and should not be pub-
> lished.

Well, I disagree. We have three specifications that want to use this 
header field, one of which is in WGLC over in HTTPAuth.

Best regards, Julian

Received on Wednesday, 11 February 2015 08:55:25 UTC