rfc2617 BNF quoting issues from Jim Luther on 2003-04-21 (ietf-http-wg@w3.org from April to June 2003)

From: Jim Luther <luther.j@apple.com>
Date: Mon, 21 Apr 2003 11:46:19 -0700
To: http-wg@cuckoo.hpl.hp.com
Message-Id: <8AACF0B9-7429-11D7-8852-0003934B6A22@apple.com>

rfc2617 defines auth-param as:

       auth-param	= token "=" ( token | quoted-string )

and defines challenge and credentials as:

	challenge		= auth-scheme 1*SP 1#auth-param
	credentials	= auth-scheme #auth-param

However, other parts of rfc2617 don't make a couple of things clear:

1 - Can quoted-strings be used where they are not required for the 
value of an auth-param and the BNF for the value of the auth-param 
doesn't mention quoting?

An example of this is the nonce-count auth-param in the digest-response 
(section 3.2.2). Can the nc-value value be quoted (even though it 
doesn't need to be) or does the fact that it's defined as 8LHEX 
override the general auth-param BNF?

I believe that if the general auth-param BNF is overridden by the BNF 
defining a specific auth-param attribute-value pair, then a note in 
section 1.2 saying that should be added; if not, then a note in section 
1.2 saying it cannot be overridden and that any value can be quoted 
should be added.

2 - Are quoted-strings required for some auth-param values?

An example of this is the digest-uri-value auth-param in the 
digest-response (section 3.2.2). Since the digest-uri-value can contain 
comma characters, and because the fields in the digest-response are 
comma delimited, the digest-uri-value must be a quoted-string in order 
to handle all possible digest-uri-value.

I believe that if quoting is required for a specific auth-param value, 
then it should say so in the definition of that auth-param.


In our client implementations of Digest Access authentication, we first 
quoted only those auth-param values which were defined as 
quoted-string, or which included <"> in the BNF, by rfc2617. Following 
the rules that way caused problems (mostly because we weren't quoting 
digest-uri-value), so we changed our implementation to quote all 
auth-param values. Last week, we found a proxy cache which doesn't work 
with the nonce-count quoted. That's why I'm bringing this up.

Thanks,

- Jim

Received on Monday, 21 April 2003 14:49:17 UTC