W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

RE: Proposed RFC 2617 erratum, Re: Backwards definition of authentication header

From: Manger, James H <James.H.Manger@team.telstra.com>
Date: Sat, 12 Dec 2009 12:04:57 +1100
To: Julian Reschke <julian.reschke@gmx.de>, Eran Hammer-Lahav <eran@hueniverse.com>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <255B9BB34FB7D647A506DC292726F6E1124ABFE002@WSMSG3153V.srv.dir.telstra.com>
> Reported as <http://www.rfc-editor.org/errata_search.php?eid=1959>
> credentials = basic-credentials | auth-scheme SP #auth-param

This looks wrong.
Basic includes the scheme.
The example in the spec is:

  Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Perhaps it should be:

  credentials = auth-scheme SP { basic-credentials | #auth-param }

[note: I am not proficient with ABNF]

NTLM and Negotiate also use a scheme followed by a base64-encoded blob, just like Basic.
The following example is from RFC 4559 "SPNEGO-based Kerberos and NTLM HTTP Auth in MS Windows" (which annoying looks like lower-case hex, though the text says it is base64):

  Authorization: Negotiate a87421000492aa874209af8bc028

The ABNF may as well support the Basic/NTLM/Negotiate form regardless of scheme, instead of a special case for just Basic (either as an RFC 2617 errata or an httpbis item?).

I am not sure how to write the ABNF. Here is a wild guess:

  credentials = auth-scheme SP { token | #auth-param }

James Manger

Received on Saturday, 12 December 2009 01:05:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC