- From: Scott Lawrence <scott-http@skrb.org>
- Date: 16 Apr 2003 14:30:11 -0400
- To: "Joris Dobbelsteen" <joris.dobbelsteen@mail.com>
- Cc: <ietf-http-wg@w3.org>, <yngve@opera.com>
"Joris Dobbelsteen" <joris.dobbelsteen@mail.com> writes: > Making passwords UTF-8 before MD5 yields a complete different result from using > ASCII and then MD5 for Digest. This is also true for Basic (using Base64). > I would expect implementations to currently use the ASCII character-set. To quote RFC 2279 (UTF-8): UTF-8, the object of this memo, uses all bits of an octet, but has the quality of preserving the full US-ASCII range: US-ASCII characters are encoded in one octet having the normal US- ASCII value, and any octet with such a value can only stand for an US-ASCII character, and nothing else. So passwords containing only ASCII would not change value, right? For passwords that can't be expressed in ASCII, the current spec doesn't define the right behaviour, and this thread started with a report that it's already produced incompatible implementations. > HTTP (including HTTP/1.1) is much older than BCP 18 (RFC 2277), so I don't > believe its recommendation is used. The purpose of the errata is to help current implementors to agree on resolutions of issues discovered since the spec was issued. When/if the spec is updated, it is expected that these resolutions will be incorporated; at that point, it would be good to have solutions that are in harmony with other standards issued during that time. -- Scott Lawrence Actively seeking work http://skrb.org/scott/ [ <lawrence@world.std.com> is deprecated ]
Received on Wednesday, 16 April 2003 14:30:28 UTC