W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 30 Jan 2012 18:28:23 +0100
Message-ID: <4F26D337.1020507@gmx.de>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2012-01-30 12:17, Bjoern Hoehrmann wrote:
> * Julian Reschke wrote:
>> <http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-04.html>;

Hi Björn,

thanks for the feedback; see 
for my work-in-progress.

> Well, "There is little interoperability for characters in the ISO-8859-1
> character set" the US-ASCII subset works reasonably well.

Noted and fixed.

> Don't repeat so much of / so literally the Abstract in the Introduction,
> it's confusing to read the duplicate.

I like it that way :-)

> I think you should mention "WWW-Authenticate" earlier than section 4,
> (something like "for use in headers like WWW-Authenticate" somewhere),
> otherwise it's easy to expect this is for `Authorization` (in part due


> to the name, `useUTF8` or `use-utf-8="yes" or some such would have been
> clearer).

That's another good suggestion; we're not going to allow any other 
encoding, so maybe making it a real flag is the best solution. What do 
others think?

> "For credentials sent by the user agent, the "encoding" parameter is
> reserved for future use and MUST NOT be sent." You can only reserve
> among options, and RFC 2617 does not allow `encoding` in credentials.
> This should simply say it does not apply to credentials.

That text is gone based on James' feedback.

> The following "The reason for this is" paragraph is confused, it should
> probably be an editor's note to be removed later, otherwise you would
> have to be much clearer what your idea for the parameter's content is,
> the main use case would seem to be recognizing whether the client did
> understand the request to use UTF-8, and that would seem useful enough.
>> With respect to intended status: in theory, this is a candidate for
>> Experimental. However, Basic Authentication (as defined in RFC 2617)
>> doesn't have a registry for extension parameters, so the cleanest
>> approach appears to say "Updates 2617", which IMHO requires a standards
>> track document.
> Updates 2617 sounds good to me; if there is any problem with that, we
> could make two specifications, one that updates 2617 and establishes a
> registry and then have your extension as experimental document.

Or we could revise RFC 2617's definition of "Basic" and move it into a 
separate document. Technically that would be the cleanest approach, but 
I fear that doing so would summon those who insist on a complete fix for 
all HTTP security issues.

Best regards, Julian
Received on Monday, 30 January 2012 17:29:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:00 UTC