Re: Basic Authentication and encoding of non-ASCII characters in credentials

On ons, 2008-05-28 at 10:51 +0200, Julian Reschke wrote:

> I would like Basic Auth to use UTF-8. But: this has been discussed again 
> and again of the last years, and I think we haven't come to a consensus 
> that it *can* be changed.

On that issue it's a question of who to break.. But most implementations
do use ISO-8859-1 for basic, and fail on characters outside that set.

There is a easy path forward on that and it's to specify a Basic2 scheme
addressing these concerns. Trying to solve the existing Basic scheme is
a dead end as the syntax does not allow changes or extensions. The only
available option is by adding a new header, and one may then just as
well use a different scheme with better syntax.

> For instance, I know by first hand of people in Europe relying that 
> (non-ASCII) ISO-8859-1 characters in credentials work in Basic 
> Authentication, and the clients and servers these people depend on use 
> ISO-8859-1 as encoding.

Yes.

> Choosing different encodings in the same UA depending who generated the 
> HTTP request is just bizarre, and will not help solving the problem.

Fully agreed.

> It seems an easy way to make progress would be to define "Basic2" (using 
> UTF-8), and try to get it supported in the open source browser engines 
> (FF/Webkit) and Apache httpd.

;-)


> PS: we would still need to discuss whether it should be otherwise 
> compatible with Basic, or whether we would want to fix other things as 
> well, such as the inability to have colon character in the user name.

It should be a new scheme with sane and possibly extensible syntax, not
just patching up the existing one.

Regards
Henrik

Received on Monday, 2 June 2008 10:43:55 UTC