Re: Review of draft-ietf-httpbis-p7-auth-19.txt


------ Original Message ------
From: "Alexey Melnikov" <alexey.melnikov@isode.com>
To: "HTTP Working Group" <ietf-http-wg@w3.org>
Sent: 9/05/2012 7:59:04 a.m.
Subject: Review of draft-ietf-httpbis-p7-auth-19.txt
>   If the origin server does not wish to accept the credentials sent 
>   with a request, it SHOULD return a 401 (Unauthorized) response. The 
>   response MUST include a WWW-Authenticate header field containing at 
>   least one (possibly new) challenge applicable to the requested 
>   resource. 
>
>   If a proxy does not accept the credentials sent with a request, it 
>   SHOULD return a 407 (Proxy Authentication Required). The response 
>   MUST include a Proxy-Authenticate header field containing a 
>(possibly 
>   new) challenge applicable to the proxy for the requested resource. 
>
>I think this is a bit misleading. Can an authentication exchange 
>include 
>more than one round trip? I think you need to be explicit one way or 
>another. (If it can, then "does not accept" is not necessarily 
>correct.) 
>
>
NTLM has several.

Also I don't think HTTP should be specifying what should be policy 
decisions for a system operator.
  
A server should be free to decide that it doesn't wish to offer the 
client another attempt to supply credentials (e.g. send a 403 back).  
So the above paragraphs should be put in the context of only where the 
server does wish to offer this option.
  
Adrien

  
> 

Received on Tuesday, 8 May 2012 21:59:40 UTC