- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Thu, 29 Jan 2015 16:01:47 +1300
- To: ietf-http-wg@w3.org
On 29/01/2015 2:25 p.m., Yutaka OIWA wrote: > 2015-01-29 9:21 GMT+09:00 Martin Thomson: >> More fundamentally, I see a correlation issue if clients provide >> multiple *Authorization header fields. The response they receive will >> contain some unaggregated name-value pairs in this header field. > > RFC7235 says that HTTP clients can send only one > "credentials" set in the Authorization: or Proxy-authorization: header, > as defined in Sections 4.2 and 4.4. > One "credentials" belongs to a single scheme. > So, "the applicable authentication scheme" means that > the unique scheme which the client has included in the corresponding request. > > Of course, I've wished if the existing Digest authentication scheme had > included an "auth-scheme" in the existing Authentication-Info: header. > If it had a syntax like "Authentication-Info: Digest ...", it would be > self-contained and more clearer. > It's already in use (as a Digest-scheme specific header), and > it cannot be changed without inter-op issues. > Theres nothing stopping a scheme=Digest parameter being specified or sent in that header. It just wont be used by legacy implementations is all. Would be worth bringing up to teh httpauth WG before they seal the next Digest version in stone if its that important to you. Amos
Received on Thursday, 29 January 2015 03:02:30 UTC