On Fri, 7 Dec 2018 15:44, hanno(_at_)hboeck(_dot_)de said:
I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.
Is this okay:
A client MUST not accept a HTTP authentication challenge (HTTP code
401) because the information in the Web Key Directory is public and
needs no authentication. Allowing an authentication challenge has the
problem to easily confuse a user with a password prompt and tricking
him into falsely entering the passphrase used to protect his private
key or to login to his mail provider.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgpnANGHr6THz.pgp
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp