Re: Proposed RFC 2617 erratum, Re: Backwards definition of authentication header

Paul Leach wrote:

>I do not understand the proposed erratum (eid=1959). Can someone please explain what the issue is? 
>
>Prima-facie, the proposed fix looks wrong: how can the definition of "challenge" be replaced by one for "credentials"?
>  
>
You are right, it should be something like this instead:

OLD:
       credentials = auth-scheme #auth-param

NEW:
       credentials = "Basic" basic-credentials | auth-scheme #auth-param

    Note: for historic reasons, the "Basic" authentication scheme (see
    Section 2) uses a different format, thus the special case in the
    ABNF.


The issue with the original ABNF is that Basic wouldn't conform to the 
specified BNF, as auth-param is defined:

      auth-param     = token "=" ( token | quoted-string )

And Basic is defined:

      credentials = "Basic" basic-credentials
      basic-credentials = base64-user-pass
      base64-user-pass  = <base64 [4] encoding of user-pass,
                       except not limited to 76 char/line>

So basic-credentials doesn't match auth-param.

Received on Monday, 21 December 2009 22:36:58 UTC