Comments on draft-oiwa-httpbis-auth-extension-00

In general I think this is a useful document and it is worth working on in the WG. Below are my general comments (I would have nitpicked a bit more if this document was in IETF LC).

Optional authentication: is a new header field really needed or can this be already done using a 200 response containing a WWW-Authenticate header field? Was use of 200 with WWW-Authenticate tried and it didn't work with existing browsers?

Section 3, last paragraph: some MAYs in the last couple of sentences look incorrect. I also think that making some HTTP authentication schemes require this header field would be a mistake, at least before HTTP authentication framework is updated to include the new header field.

Similar text in Section 4, 2nd paragraph. The same problem.

In 4.3, 2nd to the last paragraph, last sentence: I think you need to specify which one wins (or to ignore the whole header field), otherwise this is not very useful.

In 4.3, last paragraph: avoid passive voice. Otherwise it is not clear whom the SHOULD/SHOULD NOT applies to. Also the use of SHOULD doesn't seem to be correct, but I can't tell until you clarify whom it applies to.

 In 4.2 and 4.4: the pattern "MUST be an absolute URI, MAY be treated as relative if not" seems a bit wrong. Either use of absolute URIs is optional (and then you must use SHOULD/MAY), or it is not and the MAY needs to be dropped. Either way, use of MAY is incorrect here.

In 4.4: I think you meant "authentication sessions" instead of "authentication period"

Is auth-style value correct in Section 5.2?

Best Regards,
Alexey

Received on Sunday, 10 June 2012 17:22:23 UTC