- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 26 Jul 2011 21:55:23 +0200
- To: Yutaka OIWA <y.oiwa@aist.go.jp>
- CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2011-07-26 15:47, Yutaka OIWA wrote: > On 2011/07/26 22:28, Yutaka OIWA wrote: > >> And if this change text intends to introduce any opportunity >> for optional authentication to HTTP at this time, >> I think we need more detailed restrictions to make it really work. >> If the intention is just to clarify header meanings and >> leave the rest for future work, it is OK for me. > > just FYI, the following is the list of required additional rules > to make optional auth work. > > (1) The response for successful authentication MUST NOT contain > any WWW-Authenticate: header. Not sure about that. If we allow WWW-A on a non-authenticated 200 response, why not also on an authenticated one? > (2) The response for failed authentication is RECOMMENDED to be > 401 status, even if a request for the same URL and method without > Authorization: header will result in 200 status with WWW-Authenticate: > header. I agree with this one, but, as Mark said, let's leave that to future work. > ... Best regards, Julian
Received on Tuesday, 26 July 2011 19:56:06 UTC