Re: WGLC #357: Authentication Exchanges from Mark Nottingham on 2012-06-14 (ietf-http-wg@w3.org from April to June 2012)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 15 Jun 2012 09:24:42 +1000
To: Yutaka OIWA <y.oiwa@aist.go.jp>, Alexey Melnikov <alexey.melnikov@isode.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <5B64102F-8E33-4FFC-BF31-742D394957A5@mnot.net>

On 15/06/2012, at 12:50 AM, Yutaka OIWA wrote:

> Dear Mark,
> 
> I'm not Alexey, but (one of) the person(s) proposing an HTTP authentication
> not happen in just one exchange.
> 
>>> If the origin server does not wish to accept the credentials
>>> sent with a request, it SHOULD return a 401 (Unauthorized) response.
> 
> My interpretation of this phrase is "if the origin server does not wish to
> provide the requested resource with credentials sent within a request"
> (slightly rephrased).
> Under this interpretation, we can implement multi-exchange authentication
> by using the 401 status code as follows:
> 
> A non-authenticating request -> 401 Unauthorized (not acceptable)
> -> ask user a secret
> -> A request with 1st-credential -> 401 Unauthorized (not satisfied yet)
> -> A request with 2nd-credential -> 200 Succeed (now satisfied enough)
> 
> # Of course, it can be naturally extended for three or more exchanges.

That was my reading too.

> As far as I know, 401/407 are the best choice for this case.
> I also think that there were already multi-exchange HTTP authentications
> using 401 in this way.
> 
> If one thinks the original sentence is bad for this,
> his/her understanding of the above flow may be
> "the server is accepting the 1st credential, and just requesting more", I guess.
> 
> My proposal is either we can just leave the text as is, or rephrase it
> like something above.

"provide the requested resource" isn't correct from an HTTP standpoint, but I see where you're going.

My (personal) inclination is to leave it as-is, but I'm not against rewording if that'll move us forward.

Alexey?

> 
> # Any rephrasing again with better English is welcome.
> 
> 2012/6/8 Mark Nottingham <mnot@mnot.net>:
>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/357>
>> 
>> Alexey, could you say a little more here? The text as it reads doesn't require authentication to happen in one exchange; it only mandates the status codes and headers to use.
>> 
>> Thanks,
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
>> 
>> 
> 
> 
> 
> -- 
> Yutaka OIWA, Ph.D.              Leader, Software Reliability Research Group
>                              Research Institute for Secure Systems (RISEC)
>    National Institute of Advanced Industrial Science and Technology (AIST)
>                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Thursday, 14 June 2012 23:25:13 UTC