- From: Adrien W. de Croy <adrien@qbik.com>
- Date: Tue, 08 May 2012 21:59:11 +0000
- To: "Alexey Melnikov" <alexey.melnikov@isode.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
------ Original Message ------ From: "Alexey Melnikov" <alexey.melnikov@isode.com> To: "HTTP Working Group" <ietf-http-wg@w3.org> Sent: 9/05/2012 7:59:04 a.m. Subject: Review of draft-ietf-httpbis-p7-auth-19.txt > If the origin server does not wish to accept the credentials sent > with a request, it SHOULD return a 401 (Unauthorized) response. The > response MUST include a WWW-Authenticate header field containing at > least one (possibly new) challenge applicable to the requested > resource. > > If a proxy does not accept the credentials sent with a request, it > SHOULD return a 407 (Proxy Authentication Required). The response > MUST include a Proxy-Authenticate header field containing a >(possibly > new) challenge applicable to the proxy for the requested resource. > >I think this is a bit misleading. Can an authentication exchange >include >more than one round trip? I think you need to be explicit one way or >another. (If it can, then "does not accept" is not necessarily >correct.) > > NTLM has several. Also I don't think HTTP should be specifying what should be policy decisions for a system operator. A server should be free to decide that it doesn't wish to offer the client another attempt to supply credentials (e.g. send a 403 back). So the above paragraphs should be put in the context of only where the server does wish to offer this option. Adrien >
Received on Tuesday, 8 May 2012 21:59:40 UTC