Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Amos Jeffries <squid3@treenet.co.nz> Mon, 25 July 2011 03:13 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA87721F85A8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 24 Jul 2011 20:13:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZE1XcXkeqES for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 24 Jul 2011 20:13:43 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 35DCF21F8591 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 24 Jul 2011 20:13:43 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1QlBbb-0003RF-CT for ietf-http-wg-dist@listhub.w3.org; Mon, 25 Jul 2011 03:13:19 +0000
Received: from aji.keio.w3.org ([133.27.228.206]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <squid3@treenet.co.nz>) id 1QlBbT-0003QP-L7 for ietf-http-wg@listhub.w3.org; Mon, 25 Jul 2011 03:13:11 +0000
Received: from [2002:3a1c:99e9:0:206:5bff:fe7c:b8a] (helo=treenet.co.nz) by aji.keio.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1QlBbQ-00006R-Rl for ietf-http-wg@w3.org; Mon, 25 Jul 2011 03:13:10 +0000
Received: from troja.treenetnz.com (unknown [119.224.36.238]) by treenet.co.nz (Postfix) with ESMTP id A07D2E757F for <ietf-http-wg@w3.org>; Mon, 25 Jul 2011 15:12:36 +1200 (NZST)
Message-ID: <4E2CDF23.1070303@treenet.co.nz>
Date: Mon, 25 Jul 2011 15:12:35 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net> <20110724181138.GW22405@1wt.eu> <CFBF6FC4-5E17-40A5-A10F-FDCB8B053BAF@mnot.net> <4E2CC6FA.3020207@qbik.com>
In-Reply-To: <4E2CC6FA.3020207@qbik.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: permerror client-ip=2002:3a1c:99e9:0:206:5bff:fe7c:b8a; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-1.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RDNS_NONE=0.793, TO_NO_BRKTS_NORDNS=0.001
X-W3C-Scan-Sig: aji.keio.w3.org 1QlBbQ-00006R-Rl cf776d11c38e2fe563bcde911697da4c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/4E2CDF23.1070303@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11066
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1QlBbb-0003RF-CT@frink.w3.org>
Resent-Date: Mon, 25 Jul 2011 03:13:19 +0000

On 25/07/11 13:29, Adrien de Croy wrote:
>
>
> On 25/07/2011 6:31 a.m., Mark Nottingham wrote:
>> On 24/07/2011, at 2:11 PM, Willy Tarreau wrote:
>>
>>> On Sun, Jul 24, 2011 at 02:06:17PM -0400, Mark Nottingham wrote:
>>>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>>>>
>>>> Proposal:
>>>>
>>>> 1) Clarify that WWW-Authenticate can appear on any response, and
>>>> that when it appears on any other than a 401, it means that the
>>>> client can optionally present the request again with a credential.
>>> Does this mean it's only for other 4xx or for any status ? It might have
>>> implications with non-idempotent requests if a client can repost a
>>> request
>>> that led to a 200 for instance.
>> Any status. Good point about non-idempotent requests; we'll need to
>> make clear it's not about automatically retrying requests, but instead
>> that sending the same request with credentials might have a different
>> affect.
>
> isn't this redundant?
>
> I see requests with credentials all the time, when no previous
> WWW-Authorize had been sent in any response.

I disagree on the redundant. This clarifies and documents the existing 
behaviour which must be handled by implementers to improve 
compatibility. Not all of us see these same requests you do.

>
> So clients are already taking any liberties they like to send
> credentials when they please. I don't know that it adds anything to HTTP
> to explicitly tell them they may do this in protocol. They are doing it
> anyway.
>
> Otherwise are we going to prohibit the sending of creds when no
> WWW-Authorize had been sent?

Prohibiting that would be a bad idea. It is possible for the client 
agent to use non-HTTP means to verify the connection security 
requirements before sending credentials over it.

Likewise the mere presence of a WWW-Authorize challenge means nothing 
about the security of the channel. Despite NTLM assumptions to the contrary.

A mention in the security considerations should be enough there.


AYJ