W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

RE: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt

From: Manger, James H <James.H.Manger@team.telstra.com>
Date: Mon, 30 Jan 2012 12:22:51 +1100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <255B9BB34FB7D647A506DC292726F6E114EAF1B768@WSMSG3153V.srv.dir.telstra.com>
Quick comment on draft-reschke-basicauth-enc-04.txt "An Encoding Parameter for HTTP Basic Authentication":

The text about not including the 'encoding' parameter when sending the password is a bit confusing [section 3].

   For credentials sent by the user agent, the "encoding" parameter is
   reserved for future use and MUST NOT be sent.

   The reason for this is that the information that could be included
   does not seem to be useful to the server, but the additional
   complexity of parsing and processing the additional parameter might
   make this extension harder to deploy.


My guess is that the spec intended to say that including the encoding information *would* be useful, but it cannot be added easily. This is a good illustration of the 3rd dot point from "2.3.1 Considerations for new Authentication Schemes" [draft-ietf-httpbis-p7-auth-18#section-2.3.1]: "b64token ... can only be used once ... future extensions will be impossible".

My suggested replacement for these 2 paragraphs:

   Note: The 'encoding' parameter cannot be included when sending
   credentials (eg in the Authorization header) as the "Basic" scheme
   uses a single base64 token for that ('b64token' syntax), not a
   parameter list ('#auth-param' syntax)
   [draft-ietf-httpbis-p7-auth-18#section-2.1].


P.S. What are the odds that everyone treats the following lines as exactly equivalent to the example of encoding="UTF-8" as they are supposed to?
  encoding=UTF-8
  Encoding="utf\-8"


--
James Manger

-------- Original Message --------
Subject: I-D Action: draft-reschke-basicauth-enc-04.txt
Date: Sun, 29 Jan 2012 07:28:40 -0800
From: internet-drafts@ietf.org
Reply-To: internet-drafts@ietf.org
To: i-d-announce@ietf.org


A New Internet-Draft is available from the on-line Internet-Drafts 
directories.

	Title           : An Encoding Parameter for HTTP Basic Authentication
	Author(s)       : Julian F. Reschke
	Filename        : draft-reschke-basicauth-enc-04.txt
	Pages           : 9
	Date            : 2012-01-29

    The "Basic" authentication scheme defined in RFC 2617 does not
    properly define how to treat non-ASCII characters.  This has lead to
    a situation where user agent implementations disagree, and servers
    make different assumptions based on the locales they are running in.
    There is little interoperability for characters in the ISO-8859-1
    character set, and even less interoperability for any characters
    beyond that.

    This document defines a backwards-compatible extension to "Basic",
    specifying the server's character encoding expectation, using a new
    authentication scheme parameter.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-reschke-basicauth-enc-04.txt
Received on Monday, 30 January 2012 01:23:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:53 GMT