W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: Basic Authentication

From: J Ross Nicoll <jrn2005@cs.st-andrews.ac.uk>
Date: Thu, 05 Jun 2008 14:58:46 +0000
Message-Id: <91E85254-10D7-49C3-A7A6-694054C442D8@cs.st-andrews.ac.uk>
To: ietf-http-wg@w3.org

If there's a move towards replacing Basic authentication, there's a  
few more changes that would seem useful to me. Primarily, being able  
to provide a significant descriptive text about how to authenticate  
would be extremely useful, either returned inline with the 401  
response or referred to in the 401 response. For example, we  
authenticate users against one of two different accounts (and have a  
lookup table to merge them behind the scenes). We could use  
<username>@<account type> as usernames for Basic, but without  
instructions in the authentication prompt I think most of our users  
would get confused.

Putting instructions in the body of the 401 response could work, but  
would require browsers to change away from hiding that page and  
providing an authorisation request instead...

On 28 May 2008, at 14:26, Frank Ellermann wrote:

> Julian Reschke wrote:
>> I would like Basic Auth to use UTF-8. But: this has been
>> discussed again and again of the last years, and I think
>> we haven't come to a consensus that it *can* be changed.
>> For instance, I know by first hand of people in Europe
>> relying that (non-ASCII) ISO-8859-1 characters in
>> credentials work in Basic Authentication, and the clients
>> and servers these people depend on use ISO-8859-1 as
>> encoding.
> Sigh.  This Latin-1 cruft is excessively annoying.  I think
> we need a transition strategy (read: modification of the WG
> Charter) *how* to replace Latin-1 by UTF-8 in HTTP a.s.a.p.
> Two possible strategies:
> 1 - Keep everything about Latin-1 as is in 2616bis+2617bis,
>    and introduce HTTP/1.2 to indicate "same as HTTP/1.1,
>    but UTF-8 instead of ISO-8859-1".
> 2 - Replace Latin-1 by ASCII in 2616bis+2617bis, and after
>    years of flamewars upgrade ASCII to UTF-8 for HTTP/1.1.
> What's IMO not possible is to do this piecemeal and without
> clear strategy.
>> It seems an easy way to make progress would be to define
>> "Basic2" (using UTF-8), and try to get it supported in the
>> open source browser engines (FF/Webkit) and Apache httpd.
> And in most popular browsers (including IE8 and FF3).
> Frank

The University of St Andrews is a charity registered in Scotland : No  
Received on Friday, 6 June 2008 12:06:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:46 UTC