- From: Albert Lunde <albert-lunde@nwu.edu>
- Date: Thu, 29 May 1997 9:52:29 CDT
- To: w3c-dist-auth@w3.org
> > This might just be a more direct way of saying what you are saying. > > I think you will find that the only way to specify that credentials = > should be sent without restricting the implementation to any particular = > method (X.509, kerberos...) is to define a "credential cookie" which the = > client sends to the server. > > Determining which form of credential to send (assuming the client has a = > choice) would require the client and/or the server to send a list of the = > supported credential "formats" in order of preference the one being used = > being the highest commonly supported format (credential handshake). > > This implies that the minimum that this WG is going to have to do is > > 1) Decide which schemes we regard as candidates for credentials > 2) Determine the extension to HTTP for the credential handshaking = > explicitly naming the identified credential schemes and such that it can = > be extended to support other schemes (similar to the MIME-type names) > 3) Determine the extension to HTTP for the credential cookie transfer What's to stop using extension schemes under WWW-Authenticate as credentials?
Received on Thursday, 29 May 1997 10:52:33 UTC