- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 30 Jan 2012 18:28:23 +0100
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2012-01-30 12:17, Bjoern Hoehrmann wrote: > * Julian Reschke wrote: >> <http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-04.html>; Hi Björn, thanks for the feedback; see <http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-latest.html> for my work-in-progress. > Well, "There is little interoperability for characters in the ISO-8859-1 > character set" the US-ASCII subset works reasonably well. Noted and fixed. > Don't repeat so much of / so literally the Abstract in the Introduction, > it's confusing to read the duplicate. I like it that way :-) > I think you should mention "WWW-Authenticate" earlier than section 4, > (something like "for use in headers like WWW-Authenticate" somewhere), > otherwise it's easy to expect this is for `Authorization` (in part due Done. > to the name, `useUTF8` or `use-utf-8="yes" or some such would have been > clearer). That's another good suggestion; we're not going to allow any other encoding, so maybe making it a real flag is the best solution. What do others think? > "For credentials sent by the user agent, the "encoding" parameter is > reserved for future use and MUST NOT be sent." You can only reserve > among options, and RFC 2617 does not allow `encoding` in credentials. > This should simply say it does not apply to credentials. That text is gone based on James' feedback. > The following "The reason for this is" paragraph is confused, it should > probably be an editor's note to be removed later, otherwise you would > have to be much clearer what your idea for the parameter's content is, > the main use case would seem to be recognizing whether the client did > understand the request to use UTF-8, and that would seem useful enough. > >> With respect to intended status: in theory, this is a candidate for >> Experimental. However, Basic Authentication (as defined in RFC 2617) >> doesn't have a registry for extension parameters, so the cleanest >> approach appears to say "Updates 2617", which IMHO requires a standards >> track document. > > Updates 2617 sounds good to me; if there is any problem with that, we > could make two specifications, one that updates 2617 and establishes a > registry and then have your extension as experimental document. Or we could revise RFC 2617's definition of "Basic" and move it into a separate document. Technically that would be the cleanest approach, but I fear that doing so would summon those who insist on a complete fix for all HTTP security issues. Best regards, Julian
Received on Monday, 30 January 2012 17:29:02 UTC