- From: Martin Duerst <duerst@w3.org>
- Date: Wed, 16 Apr 2003 14:49:00 -0400
- To: Scott Lawrence <scott-http@skrb.org>, "Joris Dobbelsteen" <joris.dobbelsteen@mail.com>
- Cc: <ietf-http-wg@w3.org>, <yngve@opera.com>
At 14:30 03/04/16 -0400, Scott Lawrence wrote: >"Joris Dobbelsteen" <joris.dobbelsteen@mail.com> writes: > > > Making passwords UTF-8 before MD5 yields a complete different result > from using > > ASCII and then MD5 for Digest. This is also true for Basic (using Base64). > > I would expect implementations to currently use the ASCII character-set. > >To quote RFC 2279 (UTF-8): > > UTF-8, the object of this memo, uses all bits of an octet, but has > the quality of preserving the full US-ASCII range: US-ASCII > characters are encoded in one octet having the normal US- ASCII > value, and any octet with such a value can only stand for an > US-ASCII character, and nothing else. > >So passwords containing only ASCII would not change value, right? Yes, correct. Also, anything else than ASCII characters, when encoded in UTF-8, have all most significant bits set in all octets, so that it is impossible to produce something that looks like ASCII but isn't. Regards, Martin. >For >passwords that can't be expressed in ASCII, the current spec doesn't >define the right behaviour, and this thread started with a report that >it's already produced incompatible implementations. > > > HTTP (including HTTP/1.1) is much older than BCP 18 (RFC 2277), so I don't > > believe its recommendation is used. > >The purpose of the errata is to help current implementors to agree on >resolutions of issues discovered since the spec was issued. When/if >the spec is updated, it is expected that these resolutions will be >incorporated; at that point, it would be good to have solutions that >are in harmony with other standards issued during that time. > >-- >Scott Lawrence > Actively seeking work > http://skrb.org/scott/ > [ <lawrence@world.std.com> is deprecated ]
Received on Wednesday, 16 April 2003 15:09:21 UTC