W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: draft-ietf-httpbis-p7-auth-22, "2.2 Protection Space (Realm)"

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 25 Mar 2013 12:39:55 +0100
Message-ID: <5150378B.2030702@gmx.de>
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
CC: Mark Nottingham <mnot@mnot.net>, ietf-http-wg@w3.org
On 2013-03-25 10:25, "Martin J. Dürst" wrote:
> On 2013/03/19 5:46, Julian Reschke wrote:
>> On 2013-03-18 21:02, Mark Nottingham wrote:
>>> Have you done any testing around what UAs currently do with RFC5987
>>> encoding there, or just UTF-8?
>>> ...
>>
>> Apparently they do either ISO-8859-1, or use the UA's locale (see
>> discussion on http-auth).
>>
>> I haven't tried RFC5987, but I'm pretty sure nobody supports it (will
>> add test case soonish).
>>
>> We may want to leave "realm" alone, and instead add something for
>> display purposes ("prompt", "name"?).
>
> I haven't worked this out, and it's not my area of expertise, so I'm
> just writing this up so that it doesn't get forgotten:
>
> If the "realm" and the "display name" are separate, that might lead to
> some subtle security issues (same display name but different realms,...).

Indeed. If we did this, we would recommend to always display the realm 
*as well*.

Best regards, Julian
Received on Monday, 25 March 2013 11:40:28 GMT

This archive was generated by hypermail 2.3.1 : Monday, 25 March 2013 11:40:30 GMT