W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2003

Re: RFC 2617: Which character should be used?

From: Scott Lawrence <scott-http@skrb.org>
Date: 16 Apr 2003 14:30:11 -0400
To: "Joris Dobbelsteen" <joris.dobbelsteen@mail.com>
Cc: <ietf-http-wg@w3.org>, <yngve@opera.com>
Message-ID: <uy92athvw.fsf@skrb.org>

"Joris Dobbelsteen" <joris.dobbelsteen@mail.com> writes:

> Making passwords UTF-8 before MD5 yields a complete different result from using
> ASCII and then MD5 for Digest. This is also true for Basic (using Base64).
> I would expect implementations to currently use the ASCII character-set.

To quote RFC 2279 (UTF-8):

   UTF-8, the object of this memo, uses all bits of an octet, but has
   the quality of preserving the full US-ASCII range: US-ASCII
   characters are encoded in one octet having the normal US- ASCII
   value, and any octet with such a value can only stand for an
   US-ASCII character, and nothing else.

So passwords containing only ASCII would not change value, right?  For
passwords that can't be expressed in ASCII, the current spec doesn't
define the right behaviour, and this thread started with a report that
it's already produced incompatible implementations.

> HTTP (including HTTP/1.1) is much older than BCP 18 (RFC 2277), so I don't
> believe its recommendation is used.

The purpose of the errata is to help current implementors to agree on
resolutions of issues discovered since the spec was issued.  When/if
the spec is updated, it is expected that these resolutions will be
incorporated; at that point, it would be good to have solutions that
are in harmony with other standards issued during that time.

Scott Lawrence        
  Actively seeking work 
  [ <lawrence@world.std.com> is deprecated ]
Received on Wednesday, 16 April 2003 14:30:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:36 UTC