Backwards definition of authentication header

(I'm in the process of writing a new HTTP authentication scheme per the OAuth WG charter. I will be sending questions and issues regarding RFC 2617 and draft-ietf-httpbis-p7-auth in the hopes that someone will both be able to clarify them as well as find this feedback useful.)

Trying to follow the definition of the WWW-Authenticate and Authorization headers is like chasing one's own tail. The headers are defined in draft-ietf-httpbis-p7-auth but their content is defined using an imported definition from 2617, which in turn relies on the header definition in 2616. There isn't a single place where an implementer can read about the complete structure of these headers.

Why not move the entire section 1 from 2617 into draft-ietf-httpbis-p7-auth?

It is also confusing that Basic auth does not comply with the syntax defined for 'credentials' (no key="value" pair, only base64 username and password). I am not suggesting changing Basic, but I am suggesting changing the definition of 'credentials' to better reflect reality or at lease note why basic is different (I assume for historical reasons).

What is not clear to me is if the definition provided for 'credentials' is binding for new schemes, or if these schemes can go and redefine it as they see if.

EHL

Received on Friday, 4 December 2009 07:54:19 UTC