Re: #487 Resubmission of 403 from Adrien W. de Croy on 2013-07-01 (ietf-http-wg@w3.org from July to September 2013)

From: Adrien W. de Croy <adrien@qbik.com>
Date: Mon, 01 Jul 2013 23:20:42 +0000
To: "Julian Reschke" <julian.reschke@gmx.de>, "Roy T. Fielding" <fielding@gbiv.com>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em8706c24f-a8eb-43a3-bc95-332a608b2594@bodybag>

------ Original Message ------
From: "Julian Reschke" <julian.reschke@gmx.de>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Sent: 2/07/2013 8:09:18 a.m.
Subject: Re: #487 Resubmission of 403
>On 2013-07-01 19:36, Roy T. Fielding wrote:
>>
>>On Jun 30, 2013, at 9:17 AM, Julian Reschke wrote:
>>
>>>On 2013-06-20 17:54, Julian Reschke wrote:
>>>>
>>>>"If authentication credentials were provided in the request, the 
>>>>server
>>>>considers them insufficient to grant access."
>>>>
>>>>This implies that *if* credentials have been provided, and the 
>>>>result is
>>>>403, it's due to the credentials.
>>
>>No, it does not. Such a conclusion is not supportable by logic or
>>English, and certainly not in programming languages, so I see no
>>reason for a change here. Read the entire paragraph.
> > ...
>
>I did, and I still think it's misleading. Again:
If it helps, the way I read it is that the clause doesn't try to provide 
any insight into how the client may determine if the problem is a 
credential one or not, except by referring to the payload of the 403.

* since it's a 403, the server wasn't prepared to grant access
* if it had creds, and yet still got a 403 response, therefore the creds 
were not enough to change the server's mind
* therefore the client shouldn't just try reusing the same creds, since 
they were insufficient
* the client has the option to try with different creds
* even new creds may not work, since it may not even be a credential 
issue
The "new or different" is a bit of a distraction IMO.  New = different.  
So it should just be

"The client MAY repeat the request with different credentials"

Adrien

>
>"If authentication credentials were provided in the request, the server
>considers them insufficient to grant access. The client SHOULD NOT
>repeat the request with the same credentials. The client MAY repeat the
>request with new or different credentials. However, a request might be
>forbidden for reasons unrelated to the credentials."
>
>So how does the client find out whether the credentials or something 
>else caused the problem? In the first case, we say it SHOULD NOT repeat 
>the request with the same credentials, in the second case we leave it 
>somehow open.
>
>Best regards, Julian
>
>
>

Received on Monday, 1 July 2013 23:21:15 UTC