On Fri 2018-12-14 10:02:46 +0100, Werner Koch wrote:
On Fri, 7 Dec 2018 15:44, hanno(_at_)hboeck(_dot_)de said:
I think it would be good if the WKD draft would be updated to clarify
that a client should never answer to any 401 authentication requests
from the server.
Is this okay:
A client MUST not accept a HTTP authentication challenge (HTTP code
401) because the information in the Web Key Directory is public and
needs no authentication. Allowing an authentication challenge has the
problem to easily confuse a user with a password prompt and tricking
him into falsely entering the passphrase used to protect his private
key or to login to his mail provider.
The explanation and justification part here is very clear, and i agree
it should be included. But is "accept an HTTP authentication challenge"
the same thing as "make an HTTP authentication prompt visible to the
user" ?
how about something more like "a WKD client MUST treat an HTTP response
code 401 the same way it treats a 404…"
--dkg
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp