- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 15 Sep 2010 18:26:03 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi, I just checked the history of this bug, following several threads, and it appears this is really a *set* of issues... 1. Relation between status code 401 and WWW-Authenticate 401 responses MUST include a WWW-Authenticate, but the opposite is not true. Should we state more clearly in <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-11.html#header.www-authenticate> what this field means on a 2xx response? Any response? 2. Relation between WWW-Authenticate and Authorization fields? Does every authentication scheme need to specify the credentials in "Authorization"? <http://tools.ietf.org/html/draft-broyer-http-cookie-auth-00> doesn't, and this doesn't seem to be a problem in practice (as long as cacheability is properly addressed) 3. Should we specify how to handle a 401/WWW-Authenticate that does not contain any known schemes? It appears all browsers nowadays display the message payload, which clearly is the right thing to do if we ever want to deploy new schemes. Given the fact that implementations do the right thing, do we need to say more? Best regards, Julian
Received on Wednesday, 15 September 2010 16:26:45 UTC