- From: Manger, James H <James.H.Manger@team.telstra.com>
- Date: Fri, 1 Apr 2011 17:17:05 +1100
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
The ABNF in draft-ietf-httpbis-p7-auth-13 still doesn't match what the BASIC scheme needs (or NTLM or NEGOTIATE or BEARER etc). Draft 13 says: credentials = auth-scheme ( token / quoted-string / #auth-param ) BASIC, however, effectively uses: credentials = auth-scheme base64 <base64> includes the characters '/' and '=' that are not in <token> [draft-ietf-httpbis-p1-messaging-13#section-1.2.2] I suggest changing the ABNF to the following: credentials = auth-scheme SP ( b64 / #auth-param ) b64 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"=" <b64> includes the 66 unreserved URI characters plus a few others. It can hold a base64, base64url (URL and filename safe alphabet), base32, or base16 (hex) encoding, with or without padding, but excluding whitespace [RFC4648]. This accepts authentication schemes that transmit a base64 blob instead of name=value pairs (such as BASIC, NTLM, NEGOTIATE). It also accepts dot-separated base64url blobs, as proposed in new specs such as JSON Web Tokens. I dropped <quoted-string> as I don't know where that came from. Perhaps it was added with <token> as they are often a pair. If there are no existing uses (and I don't know of any) it adds no value. I added <SP> as I understand HTTPbis is making a global change to be explicit with whitespace. This change would reopen ticket #195. -- James Manger
Received on Friday, 1 April 2011 06:17:52 UTC