W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Working Group Last Call: draft-ietf-httpbis-auth-info

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Mon, 23 Feb 2015 09:35:29 +0900
Message-ID: <CAMeZVwuGO5a9h+Fw=4nwuBOEjwR+qJ7_Vt6qzWKtQF+kWo51XA@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
I think it's OK and it should be.

We already have WWW-Authenticate: for
things before completion of authentication.



2015-02-23 3:24 GMT+09:00 Julian Reschke <julian.reschke@gmx.de>:
> On 2015-02-18 13:37, Hervé Ruellan wrote:
>>
>> I think the purpose of the headers should be made more consistent across
>> the document.
>
>
> Yes.
>
>> In the Introduction, they are used to "return additional information
>> during or after authentication", while in 3, the Authentication-Info
>> header is used to "communicate additional information regarding the
>> successful authentication".
>>
>> DIGEST use it in an optional manner, to convey additional information
>> after a successful authentication.
>> Scram is using it in a mandatory manner, to finalize the authentication,
>> by conveying information for authenticating the server.
>>
>> I think that Authentication-Info should be used by the server once the
>> client is authenticated (i.e. the status code is not 401), to either
>> convey additional information or finalize the authentication.
>>
>> I created a pull request in this direction:
>> https://github.com/httpwg/http-extensions/pull/47
>>
>> Hervé.
>
>
> Which means that we rule out the use of Auth-Info before the authentication
> is done.
>
> I'm ok with this clarification, what do others think?
>
> Best regards, Julian
>
Received on Monday, 23 February 2015 00:36:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC