Re: Working Group Last Call: draft-ietf-httpbis-auth-info

I think it's OK and it should be.

We already have WWW-Authenticate: for
things before completion of authentication.



2015-02-23 3:24 GMT+09:00 Julian Reschke <julian.reschke@gmx.de>:
> On 2015-02-18 13:37, Hervé Ruellan wrote:
>>
>> I think the purpose of the headers should be made more consistent across
>> the document.
>
>
> Yes.
>
>> In the Introduction, they are used to "return additional information
>> during or after authentication", while in 3, the Authentication-Info
>> header is used to "communicate additional information regarding the
>> successful authentication".
>>
>> DIGEST use it in an optional manner, to convey additional information
>> after a successful authentication.
>> Scram is using it in a mandatory manner, to finalize the authentication,
>> by conveying information for authenticating the server.
>>
>> I think that Authentication-Info should be used by the server once the
>> client is authenticated (i.e. the status code is not 401), to either
>> convey additional information or finalize the authentication.
>>
>> I created a pull request in this direction:
>> https://github.com/httpwg/http-extensions/pull/47
>>
>> Hervé.
>
>
> Which means that we rule out the use of Auth-Info before the authentication
> is done.
>
> I'm ok with this clarification, what do others think?
>
> Best regards, Julian
>

Received on Monday, 23 February 2015 00:36:16 UTC