W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: [ietf-http-auth] HTTP Mutual-auth proposal status / HTTP AUTH meet-up in Anaheim?

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Wed, 06 Jan 2010 16:45:15 +0900
To: Thomas Broyer <t.broyer@gmail.com>
Cc: public-web-security@w3.org
Message-ID: <871vi38yno.fsf@bluewind.rcis.aist.go.jp>
Dear Thomas,

>>> Why introduce the Optional-WWW-Authenticate? why not just use a
>>> WWW-Authenticate header in non-401 responses?
>>> See http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78#comment:4

Can I ask the opposite question:
why do you want to overload existing WWW-Authenticate header for
optional authentication?

I think the separate header is better because (1) the meaning differs
(users MAY be authorized <-> users MUST either be authorized or give
up) from the existing header, and (2) it is semantically safe with
existing implementations.

I am really counting on your survey on many existing implementations,
but semantical safety is always better than experimental safety, isn't


I do not know whether it is critical, but there is at least one mail
referring to a existing conflicting use of the WWW-Authenticate header
(to carry authentication information on final successful response)
in a 200 response:
My proposal and Digest authentication uses a separate Authentication-Info:
header for this purpose.

In the same thread there mentioned a browser responding on WWW-authenticate
header in a 200 response:

Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
Received on Wednesday, 6 January 2010 07:45:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC