- From: Yoav Nir <ynir.ietf@gmail.com>
- Date: Tue, 1 Apr 2014 20:41:37 +0300
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, HTTP Working Group <ietf-http-wg@w3.org>
On Apr 1, 2014, at 8:18 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 1 April 2014 07:21, Yoav Nir <ynir.ietf@gmail.com> wrote: >> But you’ve convinced me - we should add the channel bindings to the signed data. > > This looks quite similar to the CREDENTIAL frame when you do it that way. Sure. In general, HTTP authentication schemes are not tied to a connection. So if a resource requires authorization, the client can send the Authorization header with the first request without waiting for the 401. This scheme would depend on having the challenge and Authorization header in the same connection, and also depend on the TLS state. I wonder if people would consider that a problem. With sufficient time for the working groups to discuss this, I think both CREDENTIAL and authentication method are better than starting a new, client-authenticated connection in that they don’t require a connection. But your catch draft can probably get published sooner than either of them. Yoav
Received on Tuesday, 1 April 2014 17:42:09 UTC