Re: #78: Relationship between 401, Authorization and WWW-Authenticate

2011/7/25 Mark Nottingham <mnot@mnot.net>:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>
> Proposal:
>
> 1) Clarify that WWW-Authenticate can appear on any response, and that when it
> appears on any other than a 401, it means that the client can optionally
> present the request again with a credential.

Just for confirmation:
I remember we had some discussion about this years ago.
This change will break SPNEGO (see RFC 4559, Sec. 5 example)
and other other authentication schemes which uses
WWW-Authenticate on 200 as a carrier for authentication
exchanges, instead of Authentication-Info.
Is this incompatible change OK?
(I prefer this direction, though.)

And if this change text intends to introduce any opportunity
for optional authentication to HTTP at this time,
I think we need more detailed restrictions to make it really work.
If the intention is just to clarify header meanings and
leave the rest for future work, it is OK for me.

> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or
> 401 MUST use the Authorization header in the request, because of its
> implications for caching. Schemes MAY specify additional headers to be used
> alongside it.

+1. Good way.

-- 
Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Tuesday, 26 July 2011 13:28:53 UTC