Specification of servers announcing allowed keyId types

[csarven]

Under "3.1.1. Initiating Signature Authorization":

The type of keyId(s) that a client may used is not specified under WWW-Authenticate. Is this intentionally omitted (eg to allow extension specifications to specify)?

Specifying a field like keyIdType in the WWW-Authenticate header can advertise to clients the type of keyId they can use in their request. If a client for example sees keyIdType="uri" (or "rsa", "hmac"..), it would know whether to bother with authentication or not with that keyId. Without this information, the client will have to try to authenticate with the hope that the server can recognise that authentication mechanism.

[csarven]

The other way of looking at this is if keyIdType is unspecified, then servers and clients are expected to handle all keyId types in order to interop.

[wrygiel]

Perhaps realm can be used for that?

[msporny]

@wrygiel realm is often used for a sub part of the domain to authenticate with, it's not meant to specify key type.

@csarven your suggestion to include something like an expected key type may be useful, but keep in mind that the client is supposed to keep track of that now (because the registration process is out of band). That said, perhaps we should have a "hints" field that can include "keyType", among other sorts of hints?

[liamdennehy]

That said, perhaps we should have a "hints" field that can include "keyType", among other sorts of hints?

I think these approaches start to turn this into a very complex protocol, when it could easily be presented in supplemental documentation. I don't think it's a burden to expect a signer to read up on how to format a request, or state what format they will produce in responses.