Re: WGLC #357: Authentication Exchanges from Amos Jeffries on 2012-06-20 (ietf-http-wg@w3.org from April to June 2012)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 20 Jun 2012 15:08:18 +1200
To: <ietf-http-wg@w3.org>
Message-ID: <7d41141fac4d3dcccc4d87280cf32b7d@treenet.co.nz>

On 20.06.2012 14:04, Mark Nottingham wrote:
> Looking at this, I think this language in the spec isn't very good
> for other reasons as well:
>
>> If the origin server does not wish to accept the credentials sent 
>> with a request, it should return a 401 (Unauthorized) response. The 
>> responsemust include a WWW-Authenticate header field containing at 
>> least one (possibly new) challenge applicable to the requested 
>> resource.
>>
>> If a proxy does not accept the credentials sent with a request, it 
>> should return a 407 (Proxy Authentication Required) response. The 
>> responsemust include a Proxy-Authenticate header field containing a 
>> (possibly new) challenge applicable to the proxy for the requested 
>> resource.
>
>
> Because "accept" can be read in so many ways. I think we can fix both
> problems with something like:
>
> """
> Requests for protected resources that omit credentials, contain
> invalid credentials (e.g., a bad password), or partial credentials
> (e.g., when the scheme requires more than one round trip) SHOULD
> return a 401 (Unauthorized) response. Such responses MUST include a
> WWW-Authenticate header field containing at least one (possibly new)
> challenge applicable to the requested resource.
>
> Likewise, requests that require authentication by proxies that omit
> credentials, or contain invalid or partial credentials SHOULD return 
> a
> 407 (Proxy Authentication Required) response. The response MUST
> include a Proxy-Authenticate header field containing a (possibly new)
> challenge applicable to the proxy.
> """
>
> Thoughts?
>

second paragraph:  s/The response MUST/ Such responses MUST/ is a bit 
clearer that its the 407 which "MUST", not any other status which may 
happen.



There is also no mention in any of the auth draft about 403 responses 
being used to terminate authentication attempts or cycles regardless of 
credentials validity or presence.

Something informational in this section would be very useful to clarify 
that 403 is one of the authentication-related states, for use in halting 
loops or making N-tries limitations.


AYJ

Received on Wednesday, 20 June 2012 03:08:46 UTC