Should the HTTP Signature Auth Scheme support WWW-Authenticate?
Opened this issue · 1 comments
msporny commented
From a review of the HTTP Signature Auth Scheme by @mnot:
You don't define a corresponding challenge. Your use cases might not require a 401 + WWW-Authenticate, but have you considered that some will want this?
From @msporny:
Yes, we did consider it. We wanted this to be a mostly "you're verified or you're not" mechanism. We didn't really want any sort of back-and-forth negotiation. That said, it's a weak argument because you probably want to be able to notify clients that they could access the resource if they provided a signature. If we decide that this is going to use the "Authorization" header (and not some new kind of header), we'll define the WWW-Authenticate bits of it.
The rest of the thread can be found here: http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0019.html
msporny commented
We should also say something about whether or not the spec applies to Proxy-Authenticate. Note to self: learn about Proxy Authentication.