- From: 山本和彦 <kazu@iij.ad.jp>
- Date: Wed, 17 Jan 2024 09:58:47 +0900 (JST)
- To: mt@lowentropy.net
- Cc: ietf-http-wg@w3.org
Martin, > For HTTP, I generally recommend using HTTP authentication > (https://datatracker.ietf.org/doc/html/rfc9110#section-11.6). The > simpler schemes (Basic, Digest, Bearer) have some pretty significant > drawbacks, but they are widely used. > https://httpwg.org/http-extensions/draft-ietf-httpbis-unprompted-auth.html > has some promising characteristics, including a binding to the TLS > connection. In choosing here, a lot depends on whether you intend > to build a single service or you are looking at designing an > HTTP-based protocol that others might want to deploy. Lifting client authentication from TLS to HTTP sounds promising. Thanks! --Kazu
Received on Wednesday, 17 January 2024 00:59:03 UTC