- From: Mark Nottingham <mnot@mnot.net>
- Date: Sun, 24 Jun 2012 10:18:39 +1000
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 23/06/2012, at 8:44 PM, Julian Reschke wrote: >> 2.1 >> >> "Requests for protected resources that omit credentials, contain invalid credentials (e.g., a bad password), or partial credentials (e.g., when the authentication scheme requires more than one round trip) SHOULD return a 401 (Unauthorized) response." >> >> EDITORIAL - make the subject of the requirement more obvious, e.g., "Upon a request for a protected resource that omits credentials, contains invalid credentials (e.g., a bad password), or partial credentials (e.g., when the authentication scheme requires more than one round trip), an origin server SHOULD return a 401 (Unauthorized) response. > > OK. > >> "Likewise, requests that require authentication by proxies that omit credentials, or contain invalid or partial credentials should return a 407 (Proxy Authentication Required) response." >> >> EDITORIAL - same as above. > > Please confirm: > > Likewise, upon a request that requires authentication by proxies that > omit credentials, or contain invalid or partial credentials, a proxy > SHOULD return a 407 (Proxy Authentication Required) response. Such > responses MUST include a Proxy-Authenticate header field containing a > (possibly new) challenge applicable to the proxy. OK. -- Mark Nottingham http://www.mnot.net/
Received on Sunday, 24 June 2012 00:19:10 UTC