Some design decisions Use 401 as return code during SASL handshake Allow interleaving of authentication exchanges Avoiding sending request body with every authentication step for POST/PUT methods Currently suggest to use POST requests with no body Use of persistent connections required if negotiating a security layer not required if only doing authentication, but recommended New 2XX status codes to specify that "authentication is complete, please resubmit the original request” Though adds additional round-trip Use of OPTIONS method for requesting the list of supported mechanisms |