On 2012-01-01 20:41, Mike Jones wrote:
I'll note that in some profiles, the Bearer challenge may be the only one that the application may legally use. In that case, there's no need to be able parse other challenges that the application can't fulfill in the first place. The application would fail if an unsupported challenge type was used in either case.
The ability to send multiple challenges with the recipient taking the strongest one it supports is an important part of HTTP auth. I'd like to understand what scenario would disable that.
As editor, I'll note that it doesn't seem like this discussion is moving the process forward anymore. I believe that we've sufficiently clarified that you hold a different position than the working group consensus (which I realize is your right to do). I also believe that the issues have been sufficiently well discussed on the list for all parties to be well informed.
For completeness, I'll repeat that I don't think that there was WG consensus for your point of view, but I'll leave it to the chairs to decide how to proceed.
Therefore, it seems that my earlier observation still holds: In the New Year, the chairs and area directors (and possibly the OAuth design committee) will need to decide how to proceed on this issue. It would be good to see the spec finished shortly.
Yes, it would. I still have no idea what's keeping you from doing what HTTPbis recommends. It would be extremely helpful to get *technical* feedback on that (so far I haven't seen any).
Best regards, Julian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth