W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2003

Re: RFC 2617: Which character should be used?

From: Martin Duerst <duerst@w3.org>
Date: Wed, 16 Apr 2003 14:49:00 -0400
Message-Id: <4.2.0.58.J.20030416144730.048de420@localhost>
To: Scott Lawrence <scott-http@skrb.org>, "Joris Dobbelsteen" <joris.dobbelsteen@mail.com>
Cc: <ietf-http-wg@w3.org>, <yngve@opera.com>

At 14:30 03/04/16 -0400, Scott Lawrence wrote:

>"Joris Dobbelsteen" <joris.dobbelsteen@mail.com> writes:
>
> > Making passwords UTF-8 before MD5 yields a complete different result 
> from using
> > ASCII and then MD5 for Digest. This is also true for Basic (using Base64).
> > I would expect implementations to currently use the ASCII character-set.
>
>To quote RFC 2279 (UTF-8):
>
>    UTF-8, the object of this memo, uses all bits of an octet, but has
>    the quality of preserving the full US-ASCII range: US-ASCII
>    characters are encoded in one octet having the normal US- ASCII
>    value, and any octet with such a value can only stand for an
>    US-ASCII character, and nothing else.
>
>So passwords containing only ASCII would not change value, right?

Yes, correct. Also, anything else than ASCII characters, when
encoded in UTF-8, have all most significant bits set in all
octets, so that it is impossible to produce something that
looks like ASCII but isn't.

Regards,    Martin.


>For
>passwords that can't be expressed in ASCII, the current spec doesn't
>define the right behaviour, and this thread started with a report that
>it's already produced incompatible implementations.
>
> > HTTP (including HTTP/1.1) is much older than BCP 18 (RFC 2277), so I don't
> > believe its recommendation is used.
>
>The purpose of the errata is to help current implementors to agree on
>resolutions of issues discovered since the spec was issued.  When/if
>the spec is updated, it is expected that these resolutions will be
>incorporated; at that point, it would be good to have solutions that
>are in harmony with other standards issued during that time.
>
>--
>Scott Lawrence
>   Actively seeking work
>   http://skrb.org/scott/
>   [ <lawrence@world.std.com> is deprecated ]
Received on Wednesday, 16 April 2003 15:09:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:23 GMT