- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 26 Jul 2011 15:43:05 -0400
- To: Yutaka OIWA <y.oiwa@aist.go.jp>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 26/07/2011, at 9:15 AM, Yutaka OIWA wrote: >> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential. > > Just for confirmation: > I remember we had some discussion about this years ago. > This change will break SPNEGO (see RFC 4559, Sec. 5) > and other other authentication schemes which uses > WWW-Authenticate on 200 as a carrier for authentication > exchanges, instead of Authentication-Info. > Is this incompatible change OK? > (I prefer this direction, though.) Well, RFC4559 is already broken, because it makes assumptions about the relationship between messages in a connection. Regardless, I think we can word it in such a way that Negotiate isn't any more broken; people already know that they need to handle it differently. > And if this change text intends to introduce opportunity > for optional authentication to HTTP at this time, > I think we need more details and restrictions to make it work. > If the intention is just to clarify header meanings and > leave the rest for future work, it is OK for me. I think it's the latter. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 26 July 2011 19:43:29 UTC