- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 26 Jul 2011 16:18:04 -0400
- To: Adrien de Croy <adrien@qbik.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Yutaka OIWA <y.oiwa@aist.go.jp>, HTTP Working Group <ietf-http-wg@w3.org>
On 26/07/2011, at 4:11 PM, Adrien de Croy wrote: > apologies, but I'm still not convinced overloading a new function onto WWW-Authenticate is the best way to advertise the availability of optional authentication. > > It creates an immediate dilemma for any UA that receives such a message. > > What are the options for the UA, and how will they affect user experience? > > If the UA always elects to proceed to auth, then it's the same as sending back a 401 > if the UA tries to give the choice to the user, that's (IMO) asking for pain > otherwise the UA can ignore it, and it's just more bloat. > > Also I just see it breaking a whole heap of agents who switch behaviour on the presence of that header (rather than the status). > > Finally, we see UAs starting auth without this header in the first place. So does this really need advertising anyway? > > If this is to be new behaviour, shouldn't we use a new header or status? That way we can keep it out of the way. All we're doing is leaving the door open for the possibility in the future, explicitly; we're not requiring anything, and a future effort can figure out what the best thing to do is. -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 26 July 2011 20:18:29 UTC