- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 17 Aug 2007 11:30:23 +0200
- To: Mark Nottingham <mnot@mnot.net>
- CC: Hugo Haas <hugo@yahoo-inc.com>, ietf-http-wg@w3.org
Mark Nottingham wrote: > > Discussion on the list, as well as in Chicago, seems to be leaning > towards firming up the combination of 401, WWW-Authenticate and > Authorization as a framework, possibly described separately. > > If that's the case, I'd take a stab and say that 401 is specific to > authentication mechanisms that use that framework. I.e., it's not just a > challenge for *any* authentication to be presented, but for > authentication to be presented using the header defined for it. After > all, 401 and WWW-Authenticate are already tightly bound (as you point out). > > Does that seem reasonable? Not fully convinced. If we say that 401 may only be used for authentication within the RFC2617 framework, then we either - force servers to use that framework (unlikely to succeed with today's schemes), or - force servers not to return a 401 at all. I think the latter would be bad: in this case I'd prefer a 401 over a 400 or (gasp!) a 200. Best regards, Julian
Received on Friday, 17 August 2007 09:30:44 UTC