Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Julian Reschke <julian.reschke@gmx.de> Tue, 26 July 2011 18:30 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE75B5E8004 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 11:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.144
X-Spam-Level:
X-Spam-Status: No, score=-9.144 tagged_above=-999 required=5 tests=[AWL=1.455, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r3R3DmsCMQmV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 11:30:15 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 567695E8001 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 26 Jul 2011 11:30:15 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1QlmO5-00078H-UE for ietf-http-wg-dist@listhub.w3.org; Tue, 26 Jul 2011 18:29:49 +0000
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <julian.reschke@gmx.de>) id 1QlmNy-00077T-L1 for ietf-http-wg@listhub.w3.org; Tue, 26 Jul 2011 18:29:42 +0000
Received: from mailout-de.gmx.net ([213.165.64.23]) by lisa.w3.org with smtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1QlmNx-00076x-4c for ietf-http-wg@w3.org; Tue, 26 Jul 2011 18:29:42 +0000
Received: (qmail invoked by alias); 26 Jul 2011 18:29:14 -0000
Received: from dhcp-14e3.meeting.ietf.org (EHLO [130.129.20.227]) [130.129.20.227] by mail.gmx.net (mp005) with SMTP; 26 Jul 2011 20:29:14 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19UZpsKIQlUHqWIzxHG7a62HX1EgbzrSpDaqc8kjX JwReU84HSEpkIp
Message-ID: <4E2F0777.1040602@gmx.de>
Date: Tue, 26 Jul 2011 20:29:11 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net> <255B9BB34FB7D647A506DC292726F6E112892DE4A4@WSMSG3153V.srv.dir.telstra.com> <4E2DE5FF.7060801@gmx.de> <r92s27l82b2b7mt8ta9te03vrg0rjslpa5@hive.bjoern.hoehrmann.de>
In-Reply-To: <r92s27l82b2b7mt8ta9te03vrg0rjslpa5@hive.bjoern.hoehrmann.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=213.165.64.23; envelope-from=julian.reschke@gmx.de; helo=mailout-de.gmx.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1QlmNx-00076x-4c d31e3593e0e9af7d8f826663c19d178d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/4E2F0777.1040602@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11095
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1QlmO5-00078H-UE@frink.w3.org>
Resent-Date: Tue, 26 Jul 2011 18:29:49 +0000

On 2011-07-26 02:38, Bjoern Hoehrmann wrote:
> ...
> This should refer to disclosure or something like that rather than leak-
> age (you wouldn't design a protocol that intentionally leaks something),
> and `Vary: *` strikes me as odd in this context (why, then, doesn't the
> use of Authorization imply just `Vary: Authorization`, for instance).
>
> I would rather say something along the lines that use of "Authorization"
> implies that the message is confidential with respect to the credentials
> provided in that header, meaning messages should be treated as if they
> had `Cache-Control: private`, and that new schemes must take explicit
> measures to ensure the confidentiality of messages, like using that same
> header, because deployed servers are otherwise unaware of the semantics.
 > ...

Björn, thanks. To the point as always...

So:

"Use of the Authorization header to transfer credentials implies that 
the message is confidential with respect to the credentials provided in 
that header field, meaning response messages ought to be treated as if 
they had "Cache-Control: private", and that new authentication schemes 
will have to take explicit measure to ensure the confidentiality of 
messages, such as by using that very header, because deployed recipients 
are otherwise unaware of the semantics."

?