Re: Call for adoption: draft-reschke-httpauth-auth-info-00

2015-01-29 9:21 GMT+09:00 Martin Thomson <>:
> More fundamentally, I see a correlation issue if clients provide
> multiple *Authorization header fields.  The response they receive will
> contain some unaggregated name-value pairs in this header field.

RFC7235 says that HTTP clients can send only one
"credentials" set in the Authorization: or Proxy-authorization: header,
as defined in Sections 4.2 and 4.4.
One "credentials" belongs to a single scheme.
So, "the applicable authentication scheme" means that
the unique scheme which the client has included in the corresponding request.

Of course, I've wished if the existing Digest authentication scheme had
included an "auth-scheme" in the existing Authentication-Info: header.
If it had a syntax like "Authentication-Info: Digest ...", it would be
self-contained and more clearer.
It's already in use (as a Digest-scheme specific header), and
it cannot be changed without inter-op issues.

Yutaka OIWA, Ph.D.
           Senior Researcher, Research Institute for Secure Systems (RISEC)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <>, <>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Thursday, 29 January 2015 01:26:00 UTC