W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: HTTP request header field for acceptable authentication methods

From: Henry Story <henry.story@bblfish.net>
Date: Sun, 6 Nov 2011 10:19:20 +0100
Cc: WebID XG <public-xg-webid@w3.org>, Yutaka OIWA <y.oiwa@aist.go.jp>, julian.reschke@greenbytes.de
Message-Id: <CF20B5C7-1993-4F2D-97FF-81A28F2B9BED@bblfish.net>
To: "http-auth@ietf.org" <http-auth@ietf.org>

On 6 Nov 2011, at 01:22, bergi wrote:

>> 2) Do we really need qvalue here?  Or what q=0 suggests?
> Maybe in combination with Basic it doesn't make sense, but a user/robot
> could have multiple decentralized identities with different protocols.
> The server may not support all of them, but with the qvalue the client
> could tell what's the protocol of the primary id.
> Example with WebID (primary) + OpenID:
> Accept-Authentication: WebID, OpenID;q=0.9
> In our particular case qvalue=1 could also mean that the server should
> ask for a certificate in "need-mode" otherwise in "want-mode". Some
> client implementations don't handle the "want-mode" in the right way and
> don't even ask for a client certificate. In "need-mode" the client must
> provide a certificate otherwise the server closes the connection with an
> error. The "need-mode" should work with all implementations.

I hasten to add that the NEED mode is the least user-friendly one, when considering Human users. Humans can mistakenly click the cancel button, and not send a certificate, thereby automatically breaking the connection, which usually leaves the client showing a very ugly UserInterface. Want mode is a lot more elegant. But we may have to live for some time with clients that require NEED.

It seems Java has this issue for example

And some versions of Safari also I seem to remember.


>> Do you have some opinion about these?
>> (*1) As far as several HTTP-Auth schemes are involved, the HTTP auth framework
>>     allows servers to provide several possible schemes at once, and
>>     clients to choose the most strong one.  However, I want to allow
>>     servers to check whether clients accepts my Mutual authentication scheme,
>>     otherwise divert to Form authentication possibly for transition purpose.
>> On 2011/10/31 18:27, Dominik Tomaszuk wrote:
>>> On 30.10.2011 22:38, bergi wrote:
>> (skipped)
>>>> I propose to use a HTTP header field to
>>>> tell the server that the client is able to authenticate with a WebID. As
>>>> such a field could be also useful for other authentication methods I
>>>> would chose a generic name. There are already some Accept-* fields I
>>>> would follow that pattern. As it's currently not a standard field I
>>>> would prefix that field with X-. Multiple values must have the same
>>>> format as defined for the Accept field. Also the quality parameter must
>>>> be handled by the server.
>>>> Example only with WebID authentication:
>>>> X-Accept-Authentication: WebID
>>>> Example with WebID and Basic authentication:
>>>> X-Accept-Authentication: WebID, Basic;q=0.9
>>>> What do you think about my proposal?
>>> It might be interesting to HTTPBis, part 7: Authentication [1] and HTTPBis
>>> Authentication Scheme Registrations [2]
>>> [1] http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-16
>>> [2] http://tools.ietf.org/html/draft-ietf-httpbis-authscheme-registrations-02
>>> Best,
>>> Dominik 'domel' Tomaszuk

Social Web Architect
Received on Sunday, 6 November 2011 09:20:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:48 UTC