- From: Alexey Melnikov <alexey.melnikov@isode.com>
- Date: Mon, 02 Jul 2007 15:05:59 +0100
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Henrik Nordstrom wrote: >On Mon, 2007-07-02 at 12:22 +0100, Alexey Melnikov wrote: > > >>I don't think that the framework itself is broken. But one thing that >>needs to clarified is that authentication exchange using a new >>authentication mechanism X can use more than 1 roundtrip and use the >>same HTTP header for each authentication step. Many existing >>implementations are designed to expect data from the second round trip >>in another header (like in Digest). >> >> >My view on this: > >WWW-Authenticate is fine for 401. For additional information after >successful (or failed) authentication and useful to verify the server >identity or provide information to be used on the next authenticated >request or other information about the outcome of the authentication >request Authentication-Info is more suited, and it's presence should be >declared as part of the framework and not just a by-product of Digest.. > > Indeed, this is one way to clarify the framework. >The format of Authentication-Info response header should be scheme >specific, defined by the scheme used in the Authorization request >header. > >
Received on Monday, 2 July 2007 14:07:54 UTC