> On Feb 19, 2017, at 12:27 PM, Josh Soref <[email protected]> wrote: > >> A client should attempt to fulfill at most one of these challenges, > > fulfill is an odd word. And "attempt" is an odd word in concert. I'm > pretty sure you're trying to say to a client "once you've fulfilled a > challenge, you do not need to fulfill any additional challenges", not > "you should only try one challenge, and if you fail, you should not > try to complete any of the others". > > The "at most one" text is odd... I suppose a client could attempt to > fulfill zero challenges, but that seems pointless. > >> and a server should consider any one of the challenges sufficient to make >> the authorization valid. > > I think something like: > > A server SHOULD treat the challenges portion satisfied when a client > fulfills one challenge. > > That should be sufficient to tell client implementations that they > need to complete one, and that they don't need to complete more than > one. Without telling them that if they try one and fail, they > shouldn't try a different one. > > FWIW, as a user, I run into this portion of the spec often. Typically > my client tries https or http. But a friendly client would be willing > to try both, stopping if the first one it tries completes, but > continuing to the second if the first fails.
+1. This is a significant improvement over the current text. Russ _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
