W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: HTTP request header field for acceptable authentication methods

From: Henry Story <henry.story@bblfish.net>
Date: Sun, 6 Nov 2011 10:19:20 +0100
Cc: WebID XG <public-xg-webid@w3.org>, Yutaka OIWA <y.oiwa@aist.go.jp>, julian.reschke@greenbytes.de
Message-Id: <CF20B5C7-1993-4F2D-97FF-81A28F2B9BED@bblfish.net>
To: "http-auth@ietf.org" <http-auth@ietf.org>

On 6 Nov 2011, at 01:22, bergi wrote:

>> 
>> 
>> 2) Do we really need qvalue here?  Or what q=0 suggests?
> 
> Maybe in combination with Basic it doesn't make sense, but a user/robot
> could have multiple decentralized identities with different protocols.
> The server may not support all of them, but with the qvalue the client
> could tell what's the protocol of the primary id.
> 
> Example with WebID (primary) + OpenID:
> Accept-Authentication: WebID, OpenID;q=0.9
> 
> In our particular case qvalue=1 could also mean that the server should
> ask for a certificate in "need-mode" otherwise in "want-mode". Some
> client implementations don't handle the "want-mode" in the right way and
> don't even ask for a client certificate. In "need-mode" the client must
> provide a certificate otherwise the server closes the connection with an
> error. The "need-mode" should work with all implementations.

I hasten to add that the NEED mode is the least user-friendly one, when considering Human users. Humans can mistakenly click the cancel button, and not send a certificate, thereby automatically breaking the connection, which usually leaves the client showing a very ugly UserInterface. Want mode is a lot more elegant. But we may have to live for some time with clients that require NEED.

It seems Java has this issue for example
  https://bugs.openjdk.java.net/show_bug.cgi?id=100213

And some versions of Safari also I seem to remember.

Henry

> 
>> 
>> Do you have some opinion about these?
>> 
>> 
>> (*1) As far as several HTTP-Auth schemes are involved, the HTTP auth framework
>>     allows servers to provide several possible schemes at once, and
>>     clients to choose the most strong one.  However, I want to allow
>>     servers to check whether clients accepts my Mutual authentication scheme,
>>     otherwise divert to Form authentication possibly for transition purpose.
>> 
>> On 2011/10/31 18:27, Dominik Tomaszuk wrote:
>>> On 30.10.2011 22:38, bergi wrote:
>> (skipped)
>>>> I propose to use a HTTP header field to
>>>> tell the server that the client is able to authenticate with a WebID. As
>>>> such a field could be also useful for other authentication methods I
>>>> would chose a generic name. There are already some Accept-* fields I
>>>> would follow that pattern. As it's currently not a standard field I
>>>> would prefix that field with X-. Multiple values must have the same
>>>> format as defined for the Accept field. Also the quality parameter must
>>>> be handled by the server.
>>>> 
>>>> Example only with WebID authentication:
>>>> X-Accept-Authentication: WebID
>>>> 
>>>> Example with WebID and Basic authentication:
>>>> X-Accept-Authentication: WebID, Basic;q=0.9
>>>> 
>>>> What do you think about my proposal?
>>> It might be interesting to HTTPBis, part 7: Authentication [1] and HTTPBis
>>> Authentication Scheme Registrations [2]
>>> 
>>> [1] http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-16
>>> [2] http://tools.ietf.org/html/draft-ietf-httpbis-authscheme-registrations-02
>>> 
>>> Best,
>>> Dominik 'domel' Tomaszuk
>>> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Sunday, 6 November 2011 09:20:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 6 November 2011 09:20:05 GMT