Re: #78: Relationship between 401, Authorization and WWW-Authenticate

On 2011/07/26 22:28, Yutaka OIWA wrote:

> And if this change text intends to introduce any opportunity
> for optional authentication to HTTP at this time,
> I think we need more detailed restrictions to make it really work.
> If the intention is just to clarify header meanings and
> leave the rest for future work, it is OK for me.

just FYI, the following is the list of required additional rules
to make optional auth work.

(1) The response for successful authentication MUST NOT contain
    any WWW-Authenticate: header.

(2) The response for failed authentication is RECOMMENDED to be
    401 status, even if a request for the same URL and method without
    Authorization: header will result in 200 status with WWW-Authenticate:
    header.

At least one of the above condition must be met, otherwise
clients cannot determine whether the authentication is successful or not.
Of course, the clause (1) will break some existing authentication scheme.

If interested, please also refer my Mutual authentication proposal
which also contains detailed rules (including those two above)
for realizing optional HTTP authentication.

If the #78 change intends to realize optional auth at this time,
I propose two above clauses to be included.
Otherwise, It's OK and I'll work on this later in future http-auth activity.

-- 
Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Tuesday, 26 July 2011 13:47:50 UTC