- From: Nico Williams <nico@cryptonector.com>
- Date: Wed, 23 Jul 2025 15:40:54 -0500
- To: Atul Tulshibagwale <atul@sgnl.ai>
- Cc: Rory Hewitt <rory.hewitt@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
On Tue, Jul 22, 2025 at 01:52:05PM -0700, Atul Tulshibagwale wrote: > Hi Rory and Amos, > I see these relevant headers in the HTTP field names registry: > > - Authentication-Control > - Authentication-Info > - Authorization And WWW-Authenticate. > The Authorization header cannot be used because it needs to be kept > available for service-to-service authorization such as SPIFFE. The TraTs > spec clarifies this here > <https://www.ietf.org/archive/id/draft-ietf-oauth-transaction-tokens-05.html#section-8> > . It might be nice if Authorization allowed multiple values.. Instead of defining new headers like this on a case-by-case basis, would we benefit from defining an Authorizations header that allows multiple values? Nico --
Received on Wednesday, 23 July 2025 20:41:05 UTC