- From: Rick van Rein <rick@openfortress.nl>
- Date: Tue, 21 Jan 2020 11:15:21 +0100
- To: Daniel Stenberg <daniel@haxx.se>
- CC: "HTTPbis WG (IETF)" <ietf-http-wg@w3.org>, "Henri Manson (ARPA2)" <henri.manson@arpa2.org>
Hello Daniel, Thanks for reading/commenting. > 1. RFC2616 is dead, refer to RFC 723X specs instead *Oops* -- will fix that. > 2. I would really like to see protocol examples in the spec that > better explains the flows. I couldn't understand it without reading > the blog post - > that features such examples. Fair enough, will do that. > 3. The mandatory 403 when not authenticated seems unorthodox. Regular > HTTP auth returns 401 (or 407 for proxy) when not authenticated. Indeed. I was confused by the required inclusion of a challenge, but didn't know the client recognised a repeat. Will fix. > 4. Section 3 wrongly states that Basic and Digest auth uses usernames > in URIs. They didn't and don't. They speak of user names but they > don't (have to) come from the URI. Agreed, what I said is indeed browser behaviour. Good criticism, thanks! I will fix this in the next one up. -Rick
Received on Tuesday, 21 January 2020 10:15:59 UTC