- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Wed, 27 Jul 2011 04:53:36 +0900
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Thanks, 2011/7/27 Mark Nottingham <mnot@mnot.net>: > On 26/07/2011, at 9:15 AM, Yutaka OIWA wrote: > >>> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential. >> >> Just for confirmation: >> I remember we had some discussion about this years ago. >> This change will break SPNEGO (see RFC 4559, Sec. 5) >> and other other authentication schemes which uses >> WWW-Authenticate on 200 as a carrier for authentication >> exchanges, instead of Authentication-Info. >> Is this incompatible change OK? >> (I prefer this direction, though.) > > Well, RFC4559 is already broken, because it makes assumptions about the relationship between messages in a connection. > > Regardless, I think we can word it in such a way that Negotiate isn't any more broken; people already know that they need to handle it differently. I see, then I agree on your proposal. Does anyone have a list of HTTP authentication schemes (either RFC-defined of de-fact deployed) so that we can check the whole list of to-be-differently-handled schemes? If there is such a list, I (we) can work on making such checklist. (unless it has 50 or 100 entries :-))
Received on Tuesday, 26 July 2011 19:54:04 UTC