-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specification of servers announcing allowed keyId types #3
Comments
The other way of looking at this is if |
Perhaps |
@wrygiel realm is often used for a sub part of the domain to authenticate with, it's not meant to specify key type. @csarven your suggestion to include something like an expected key type may be useful, but keep in mind that the client is supposed to keep track of that now (because the registration process is out of band). That said, perhaps we should have a "hints" field that can include "keyType", among other sorts of hints? |
I think these approaches start to turn this into a very complex protocol, when it could easily be presented in supplemental documentation. I don't think it's a burden to expect a signer to read up on how to format a request, or state what format they will produce in responses. |
Under "3.1.1. Initiating Signature Authorization":
The type of
keyId
(s) that a client may used is not specified underWWW-Authenticate
. Is this intentionally omitted (eg to allow extension specifications to specify)?Specifying a field like
keyIdType
in theWWW-Authenticate
header can advertise to clients the type ofkeyId
they can use in their request. If a client for example seeskeyIdType="uri"
(or "rsa", "hmac"..), it would know whether to bother with authentication or not with thatkeyId
. Without this information, the client will have to try to authenticate with the hope that the server can recognise that authentication mechanism.The text was updated successfully, but these errors were encountered: