New header field vs existing Authorization header

[chris-wood]

Is there a technical reason why the WWW-Authenticate header was not chosen for this draft? That can be sent without a corresponding challenge (in an unprompted way), as we note in the HTTP authentication scheme for Privacy Pass. It seems like that would work in this context, too.

[tfpauly]

Is this rather about using the Authorization header?

[chris-wood]

🤦 Yep!

[DavidSchinazi]

@chris-wood can you elaborate on "as we note in the HTTP authentication scheme for Privacy Pass"? I skimmed through that draft and it seems to clearly require a TokenChallenge before sending a Token.

[chris-wood]

I thought we had text that described it, but I can't find it. In any case, I think one can send the Authorization header unsolicited, so I think this draft ought to do that instead of rolling a new auth header.

[DavidSchinazi]

Fair enough, let's discuss this at 116.

[bemasc]

FWIW, I agree that unprompted "Authorization" is permissible in this context, but I think "Unprompted-Authorization" could be useful for clarity when reading logs, etc.

[DavidSchinazi]

Discussed at IETF 116, sense of the room appeared to be that switching to Authorization made sense.

[DavidSchinazi]

OK wrote up #2571 to address this