- From: Henry Story <henry.story@bblfish.net>
- Date: Sun, 6 Nov 2011 10:19:20 +0100
- To: "http-auth@ietf.org" <http-auth@ietf.org>
- Cc: WebID XG <public-xg-webid@w3.org>, Yutaka OIWA <y.oiwa@aist.go.jp>, julian.reschke@greenbytes.de
On 6 Nov 2011, at 01:22, bergi wrote: >> >> >> 2) Do we really need qvalue here? Or what q=0 suggests? > > Maybe in combination with Basic it doesn't make sense, but a user/robot > could have multiple decentralized identities with different protocols. > The server may not support all of them, but with the qvalue the client > could tell what's the protocol of the primary id. > > Example with WebID (primary) + OpenID: > Accept-Authentication: WebID, OpenID;q=0.9 > > In our particular case qvalue=1 could also mean that the server should > ask for a certificate in "need-mode" otherwise in "want-mode". Some > client implementations don't handle the "want-mode" in the right way and > don't even ask for a client certificate. In "need-mode" the client must > provide a certificate otherwise the server closes the connection with an > error. The "need-mode" should work with all implementations. I hasten to add that the NEED mode is the least user-friendly one, when considering Human users. Humans can mistakenly click the cancel button, and not send a certificate, thereby automatically breaking the connection, which usually leaves the client showing a very ugly UserInterface. Want mode is a lot more elegant. But we may have to live for some time with clients that require NEED. It seems Java has this issue for example https://bugs.openjdk.java.net/show_bug.cgi?id=100213 And some versions of Safari also I seem to remember. Henry > >> >> Do you have some opinion about these? >> >> >> (*1) As far as several HTTP-Auth schemes are involved, the HTTP auth framework >> allows servers to provide several possible schemes at once, and >> clients to choose the most strong one. However, I want to allow >> servers to check whether clients accepts my Mutual authentication scheme, >> otherwise divert to Form authentication possibly for transition purpose. >> >> On 2011/10/31 18:27, Dominik Tomaszuk wrote: >>> On 30.10.2011 22:38, bergi wrote: >> (skipped) >>>> I propose to use a HTTP header field to >>>> tell the server that the client is able to authenticate with a WebID. As >>>> such a field could be also useful for other authentication methods I >>>> would chose a generic name. There are already some Accept-* fields I >>>> would follow that pattern. As it's currently not a standard field I >>>> would prefix that field with X-. Multiple values must have the same >>>> format as defined for the Accept field. Also the quality parameter must >>>> be handled by the server. >>>> >>>> Example only with WebID authentication: >>>> X-Accept-Authentication: WebID >>>> >>>> Example with WebID and Basic authentication: >>>> X-Accept-Authentication: WebID, Basic;q=0.9 >>>> >>>> What do you think about my proposal? >>> It might be interesting to HTTPBis, part 7: Authentication [1] and HTTPBis >>> Authentication Scheme Registrations [2] >>> >>> [1] http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-16 >>> [2] http://tools.ietf.org/html/draft-ietf-httpbis-authscheme-registrations-02 >>> >>> Best, >>> Dominik 'domel' Tomaszuk >>> > > Social Web Architect http://bblfish.net/
Received on Sunday, 6 November 2011 09:20:05 UTC