[Prev][Next][Index][Thread]
RE: Access Control: What's On The Wire
>
> This might just be a more direct way of saying what you are saying.
>
> I think you will find that the only way to specify that credentials =
> should be sent without restricting the implementation to any particular =
> method (X.509, kerberos...) is to define a "credential cookie" which the =
> client sends to the server.
>
> Determining which form of credential to send (assuming the client has a =
> choice) would require the client and/or the server to send a list of the =
> supported credential "formats" in order of preference the one being used =
> being the highest commonly supported format (credential handshake).
>
> This implies that the minimum that this WG is going to have to do is
>
> 1) Decide which schemes we regard as candidates for credentials
> 2) Determine the extension to HTTP for the credential handshaking =
> explicitly naming the identified credential schemes and such that it can =
> be extended to support other schemes (similar to the MIME-type names)
> 3) Determine the extension to HTTP for the credential cookie transfer
What's to stop using extension schemes under WWW-Authenticate
as credentials?
References: