- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Wed, 06 Jan 2010 16:45:15 +0900
- To: Thomas Broyer <t.broyer@gmail.com>
- Cc: public-web-security@w3.org
Dear Thomas,
>>> Why introduce the Optional-WWW-Authenticate? why not just use a
>>> WWW-Authenticate header in non-401 responses?
>>> See http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78#comment:4
Can I ask the opposite question:
why do you want to overload existing WWW-Authenticate header for
optional authentication?
I think the separate header is better because (1) the meaning differs
(users MAY be authorized <-> users MUST either be authorized or give
up) from the existing header, and (2) it is semantically safe with
existing implementations.
I am really counting on your survey on many existing implementations,
but semantical safety is always better than experimental safety, isn't
it?
P.S.
I do not know whether it is critical, but there is at least one mail
referring to a existing conflicting use of the WWW-Authenticate header
(to carry authentication information on final successful response)
in a 200 response:
http://lists.w3.org/Archives/Public/ietf-http-wg/2008OctDec/0247.html
My proposal and Digest authentication uses a separate Authentication-Info:
header for this purpose.
In the same thread there mentioned a browser responding on WWW-authenticate
header in a 200 response:
http://lists.w3.org/Archives/Public/ietf-http-wg/2008OctDec/0250.html
--
Yutaka OIWA, Ph.D. Research Scientist
Research Center for Information Security (RCIS)
National Institute of Advanced Industrial Science and Technology (AIST)
Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5]
Received on Wednesday, 6 January 2010 07:45:51 UTC