W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Proposed RFC 2617 erratum, Re: Backwards definition of authentication header

From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Mon, 21 Dec 2009 22:36:13 +0000
Message-ID: <4B2FF85D.5080800@isode.com>
To: Paul Leach <paulle@microsoft.com>
CC: Julian Reschke <julian.reschke@gmx.de>, Eran Hammer-Lahav <eran@hueniverse.com>, "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Paul Leach wrote:

>I do not understand the proposed erratum (eid=1959). Can someone please explain what the issue is? 
>Prima-facie, the proposed fix looks wrong: how can the definition of "challenge" be replaced by one for "credentials"?
You are right, it should be something like this instead:

       credentials = auth-scheme #auth-param

       credentials = "Basic" basic-credentials | auth-scheme #auth-param

    Note: for historic reasons, the "Basic" authentication scheme (see
    Section 2) uses a different format, thus the special case in the

The issue with the original ABNF is that Basic wouldn't conform to the 
specified BNF, as auth-param is defined:

      auth-param     = token "=" ( token | quoted-string )

And Basic is defined:

      credentials = "Basic" basic-credentials
      basic-credentials = base64-user-pass
      base64-user-pass  = <base64 [4] encoding of user-pass,
                       except not limited to 76 char/line>

So basic-credentials doesn't match auth-param.
Received on Monday, 21 December 2009 22:36:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC