Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Yutaka OIWA <y.oiwa@aist.go.jp> Tue, 26 July 2011 13:30 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 586F421F86BE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 06:30:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.345
X-Spam-Level:
X-Spam-Status: No, score=-5.345 tagged_above=-999 required=5 tests=[AWL=5.255, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y08+eOBlr4VW for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 06:30:07 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6EB21F8C37 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 26 Jul 2011 06:30:06 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Qlhh1-00071p-02 for ietf-http-wg-dist@listhub.w3.org; Tue, 26 Jul 2011 13:29:03 +0000
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <y.oiwa@aist.go.jp>) id 1Qlhgr-000710-GN for ietf-http-wg@listhub.w3.org; Tue, 26 Jul 2011 13:28:53 +0000
Received: from mx1.aist.go.jp ([150.29.246.133]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <y.oiwa@aist.go.jp>) id 1Qlhgo-00084X-Nv for ietf-http-wg@w3.org; Tue, 26 Jul 2011 13:28:53 +0000
Received: from rqsmtp2.aist.go.jp (rqsmtp2.aist.go.jp [150.29.254.123]) by mx1.aist.go.jp with ESMTP id p6QDSI3g027066; Tue, 26 Jul 2011 22:28:18 +0900 (JST) env-from (y.oiwa@aist.go.jp)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aist.go.jp; s=aist; t=1311686898; bh=U5r2BtDQj7cPOeiDi/+jDmWLi+tWaYDjvhSOZpilRU4=; h=Message-ID:Date:From; b=Cj5+p/UXQa+TlsbaXNIDwMuq+Ryq6F3Oa+P5u91pPreYyRjXojnVRJfhZSPReVShQ tWNixcJRAM7DDtnWiQsox+xU2OgzQIzVZkWNveMXGYc1h3o4FRv5gEam0TqhR2MCpU v0rxzFmb7C/vFhNBV+d7XInipeHALeUhLpCNqUUk=
Received: from smtp4.aist.go.jp by rqsmtp2.aist.go.jp with ESMTP id p6QDSHWP014283; Tue, 26 Jul 2011 22:28:17 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Received: by smtp4.aist.go.jp with ESMTP id p6QDSEwC007101; Tue, 26 Jul 2011 22:28:15 +0900 (JST) env-from (y.oiwa@aist.go.jp)
Message-ID: <4E2EC0EE.8060200@aist.go.jp>
Date: Tue, 26 Jul 2011 22:28:14 +0900
From: Yutaka OIWA <y.oiwa@aist.go.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net>
In-Reply-To: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=150.29.246.133; envelope-from=y.oiwa@aist.go.jp; helo=mx1.aist.go.jp
X-W3C-Hub-Spam-Status: No, score=-3.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.193, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1Qlhgo-00084X-Nv df6acb0932454d2bcd8292ce5e1db485
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/4E2EC0EE.8060200@aist.go.jp>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11090
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Qlhh1-00071p-02@frink.w3.org>
Resent-Date: Tue, 26 Jul 2011 13:29:03 +0000

2011/7/25 Mark Nottingham <mnot@mnot.net>:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>
> Proposal:
>
> 1) Clarify that WWW-Authenticate can appear on any response, and that when it
> appears on any other than a 401, it means that the client can optionally
> present the request again with a credential.

Just for confirmation:
I remember we had some discussion about this years ago.
This change will break SPNEGO (see RFC 4559, Sec. 5 example)
and other other authentication schemes which uses
WWW-Authenticate on 200 as a carrier for authentication
exchanges, instead of Authentication-Info.
Is this incompatible change OK?
(I prefer this direction, though.)

And if this change text intends to introduce any opportunity
for optional authentication to HTTP at this time,
I think we need more detailed restrictions to make it really work.
If the intention is just to clarify header meanings and
leave the rest for future work, it is OK for me.

> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or
> 401 MUST use the Authorization header in the request, because of its
> implications for caching. Schemes MAY specify additional headers to be used
> alongside it.

+1. Good way.

-- 
Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]