Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem

On Mon, Mar 30, 2020 at 07:06:29PM -0700, Benjamin Kaduk wrote:
> On Sat, Mar 28, 2020 at 11:37:48PM -0500, Nico Williams wrote:
> > This I-D then adds an Accept-Auth request header, and an HTTP
> 
> Interestingly, I was just thinking about whether such an Accept-Auth
> header would be useful in the context of Rick's SASL proposal that was
> presented at SECDISPATCH last week.  Perhaps along with a way for the
> server to annotate that various (e.g., linked) resources will require
> a given authentication mechanism, there might be a route to improving

The server isn't going to want to authenticate the user differently for
different resources -- authorize differently, yes, but probably still
with the same scheme.

> the UX in this space ... though there's a long way for it to go, so I
> don't know that these in and of themselves will make a huge
> difference.

I don't quite follow.  There's lots more work to do about UX?  Sure.
But I know this header will make a huge difference for sites where
there's a mix of Negotiate and Bearer -- it's absolutely essential for
the server to know which (if either, possibly both) are supported.  So
I'd very much like to move forward with registering the header by
requesting Expert Review for it.

What about the Redirect scheme?  Have I missed something important?
That will require IETF Review.  I've added security considerations text
in my GH repo for this, nicowilliams/accept-auth-and-redirect, FYI.

Nico
-- 

Received on Tuesday, 31 March 2020 05:00:18 UTC