Comments on draft-oiwa-httpbis-auth-extension-00

In general I think this is a useful document and it is worth working on in the WG. Below are my general comments
(I would have nitpicked a bit more if this document was in IETF LC).

Optional authentication: is a new header field really needed or can this be already done using a 200
response containing a WWW-Authenticate header field? Was use of 200 with WWW-Authenticate tried and it
didn't work with existing browsers?

Section 3, last paragraph: some MAYs in the last couple of sentences look incorrect. I also think that
making some HTTP authentication schemes require this header field would be a mistake, at least before
HTTP authentication framework is updated to include the new header field.

Similar text in Section 4, 2nd paragraph. The same problem.

In 4.3, 2nd to the last paragraph, last sentence: I think you need to specify which one wins (or to ignore the
whole header field), otherwise this is not very useful.

In 4.3, last paragraph: avoid passive voice. Otherwise it is not clear whom the SHOULD/SHOULD NOT applies
to. Also the use of SHOULD doesn't seem to be correct, but I can't tell until you clarify whom it applies to.

 In 4.2 and 4.4: the pattern "MUST be an absolute URI, MAY be treated as relative if not" seems a bit wrong.
Either use of absolute URIs is optional (and then you must use SHOULD/MAY), or it is not and the MAY needs to
be dropped. Either way, use of MAY is incorrect here.

In 4.4: I think you meant "authentication sessions" instead of "authentication period"

Is auth-style value correct in Section 5.2?

Best Regards,
Alexey