- From: Nico Williams <nico@cryptonector.com>
- Date: Mon, 30 Mar 2020 23:59:54 -0500
- To: Benjamin Kaduk <kaduk@mit.edu>
- Cc: ietf-http-wg@w3.org, secdispatch@ietf.org
On Mon, Mar 30, 2020 at 07:06:29PM -0700, Benjamin Kaduk wrote: > On Sat, Mar 28, 2020 at 11:37:48PM -0500, Nico Williams wrote: > > This I-D then adds an Accept-Auth request header, and an HTTP > > Interestingly, I was just thinking about whether such an Accept-Auth > header would be useful in the context of Rick's SASL proposal that was > presented at SECDISPATCH last week. Perhaps along with a way for the > server to annotate that various (e.g., linked) resources will require > a given authentication mechanism, there might be a route to improving The server isn't going to want to authenticate the user differently for different resources -- authorize differently, yes, but probably still with the same scheme. > the UX in this space ... though there's a long way for it to go, so I > don't know that these in and of themselves will make a huge > difference. I don't quite follow. There's lots more work to do about UX? Sure. But I know this header will make a huge difference for sites where there's a mix of Negotiate and Bearer -- it's absolutely essential for the server to know which (if either, possibly both) are supported. So I'd very much like to move forward with registering the header by requesting Expert Review for it. What about the Redirect scheme? Have I missed something important? That will require IETF Review. I've added security considerations text in my GH repo for this, nicowilliams/accept-auth-and-redirect, FYI. Nico --
Received on Tuesday, 31 March 2020 05:00:18 UTC