Re: WGLC #357: Authentication Exchanges from Yutaka OIWA on 2012-06-14 (ietf-http-wg@w3.org from April to June 2012)

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Thu, 14 Jun 2012 23:50:02 +0900
To: Mark Nottingham <mnot@mnot.net>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAMeZVwvQsVMeR18sZWyx-cPCs8zsDE0Vuw9_yZVT02vZD-TQWw@mail.gmail.com>

Dear Mark,

I'm not Alexey, but (one of) the person(s) proposing an HTTP authentication
not happen in just one exchange.

>> If the origin server does not wish to accept the credentials
>> sent with a request, it SHOULD return a 401 (Unauthorized) response.

My interpretation of this phrase is "if the origin server does not wish to
provide the requested resource with credentials sent within a request"
(slightly rephrased).
Under this interpretation, we can implement multi-exchange authentication
by using the 401 status code as follows:

A non-authenticating request -> 401 Unauthorized (not acceptable)
-> ask user a secret
-> A request with 1st-credential -> 401 Unauthorized (not satisfied yet)
-> A request with 2nd-credential -> 200 Succeed (now satisfied enough)

# Of course, it can be naturally extended for three or more exchanges.

As far as I know, 401/407 are the best choice for this case.
I also think that there were already multi-exchange HTTP authentications
using 401 in this way.

If one thinks the original sentence is bad for this,
his/her understanding of the above flow may be
"the server is accepting the 1st credential, and just requesting more", I guess.

My proposal is either we can just leave the text as is, or rephrase it
like something above.

# Any rephrasing again with better English is welcome.

2012/6/8 Mark Nottingham <mnot@mnot.net>:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/357>
>
> Alexey, could you say a little more here? The text as it reads doesn't require authentication to happen in one exchange; it only mandates the status codes and headers to use.
>
> Thanks,
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>



-- 
Yutaka OIWA, Ph.D.              Leader, Software Reliability Research Group
                             Research Institute for Secure Systems (RISEC)
   National Institute of Advanced Industrial Science and Technology (AIST)
                     Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Thursday, 14 June 2012 14:50:52 UTC