- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Mon, 23 Feb 2015 09:35:29 +0900
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
I think it's OK and it should be. We already have WWW-Authenticate: for things before completion of authentication. 2015-02-23 3:24 GMT+09:00 Julian Reschke <julian.reschke@gmx.de>: > On 2015-02-18 13:37, Hervé Ruellan wrote: >> >> I think the purpose of the headers should be made more consistent across >> the document. > > > Yes. > >> In the Introduction, they are used to "return additional information >> during or after authentication", while in 3, the Authentication-Info >> header is used to "communicate additional information regarding the >> successful authentication". >> >> DIGEST use it in an optional manner, to convey additional information >> after a successful authentication. >> Scram is using it in a mandatory manner, to finalize the authentication, >> by conveying information for authenticating the server. >> >> I think that Authentication-Info should be used by the server once the >> client is authenticated (i.e. the status code is not 401), to either >> convey additional information or finalize the authentication. >> >> I created a pull request in this direction: >> https://github.com/httpwg/http-extensions/pull/47 >> >> Hervé. > > > Which means that we rule out the use of Auth-Info before the authentication > is done. > > I'm ok with this clarification, what do others think? > > Best regards, Julian >
Received on Monday, 23 February 2015 00:36:16 UTC