Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Yutaka OIWA <y.oiwa@aist.go.jp> Tue, 26 July 2011 13:48 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4727921F8B89 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 06:48:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[AWL=3.503, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8pYGOzKHu88R for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 06:48:23 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 6B75921F8B6A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 26 Jul 2011 06:48:23 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1QlhzK-0006qn-0G for ietf-http-wg-dist@listhub.w3.org; Tue, 26 Jul 2011 13:47:58 +0000
Received: from aji.keio.w3.org ([133.27.228.206]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <y.oiwa@aist.go.jp>) id 1QlhzC-0006px-GR for ietf-http-wg@listhub.w3.org; Tue, 26 Jul 2011 13:47:50 +0000
Received: from mx1.aist.go.jp ([150.29.246.133]) by aji.keio.w3.org with esmtp (Exim 4.72) (envelope-from <y.oiwa@aist.go.jp>) id 1Qlhz9-0002Sp-LR for ietf-http-wg@w3.org; Tue, 26 Jul 2011 13:47:49 +0000
Received: from rqsmtp2.aist.go.jp (rqsmtp2.aist.go.jp [150.29.254.123]) by mx1.aist.go.jp with ESMTP id p6QDlFbe000321; Tue, 26 Jul 2011 22:47:15 +0900 (JST) env-from (y.oiwa@aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aist.go.jp; s=aist; t=1311688036; bh=5U10eMcJJkkk+FOaxILmEMiq4TNXrNbaTmcl0yiUD/E=; h=Message-ID:Date:From; b=p88lPtwJHeSncge6Y60buAyQ47jN/A2JALmL7FDlfTNu1fOH4Zx17H3RXXEwVWtvV iFaYkplYs3RJ8xtG7kqFjCTfmpVFRagFh78IOdzoQKQxOPmMKrnHODN+WG0jknqk44 8pqz6GU/MIGBCyw0LTjVG8p8LZ6jK3m+/lTEsNOk=
Received: from smtp2.aist.go.jp by rqsmtp2.aist.go.jp with ESMTP id p6QDlFl2017824; Tue, 26 Jul 2011 22:47:15 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Received: by smtp2.aist.go.jp with ESMTP id p6QDlCdF004181; Tue, 26 Jul 2011 22:47:13 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Message-ID: <4E2EC55F.2050403@aist.go.jp>
Date: Tue, 26 Jul 2011 22:47:11 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net> <4E2EC0EE.8060200@aist.go.jp>
In-Reply-To: <4E2EC0EE.8060200@aist.go.jp>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=150.29.246.133; envelope-from=y.oiwa@aist.go.jp; helo=mx1.aist.go.jp
X-W3C-Hub-Spam-Status: No, score=-1.8
X-W3C-Hub-Spam-Report: BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.193, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: aji.keio.w3.org 1Qlhz9-0002Sp-LR c95780ad011f6d6c8cf979818e1cd37c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/4E2EC55F.2050403@aist.go.jp>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11091
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1QlhzK-0006qn-0G@frink.w3.org>
Resent-Date: Tue, 26 Jul 2011 13:47:58 +0000

On 2011/07/26 22:28, Yutaka OIWA wrote:

> And if this change text intends to introduce any opportunity
> for optional authentication to HTTP at this time,
> I think we need more detailed restrictions to make it really work.
> If the intention is just to clarify header meanings and
> leave the rest for future work, it is OK for me.

just FYI, the following is the list of required additional rules
to make optional auth work.

(1) The response for successful authentication MUST NOT contain
    any WWW-Authenticate: header.

(2) The response for failed authentication is RECOMMENDED to be
    401 status, even if a request for the same URL and method without
    Authorization: header will result in 200 status with WWW-Authenticate:
    header.

At least one of the above condition must be met, otherwise
clients cannot determine whether the authentication is successful or not.
Of course, the clause (1) will break some existing authentication scheme.

If interested, please also refer my Mutual authentication proposal
which also contains detailed rules (including those two above)
for realizing optional HTTP authentication.

If the #78 change intends to realize optional auth at this time,
I propose two above clauses to be included.
Otherwise, It's OK and I'll work on this later in future http-auth activity.

-- 
Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]