- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 01 Apr 2011 20:27:51 +0200
- To: "Manger, James H" <James.H.Manger@team.telstra.com>
- CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 01.04.2011 08:17, Manger, James H wrote: > The ABNF in draft-ietf-httpbis-p7-auth-13 still doesn't match what the BASIC scheme needs (or NTLM or NEGOTIATE or BEARER etc). > > Draft 13 says: > credentials = auth-scheme ( token / quoted-string / #auth-param ) > > BASIC, however, effectively uses: > credentials = auth-scheme base64 > > <base64> includes the characters '/' and '=' that are not in<token> > [draft-ietf-httpbis-p1-messaging-13#section-1.2.2] Oh. Good catch. > I suggest changing the ABNF to the following: > > credentials = auth-scheme SP ( b64 / #auth-param ) > > b64 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"=" > > <b64> includes the 66 unreserved URI characters plus a few others. > It can hold a base64, base64url (URL and filename safe alphabet), > base32, or base16 (hex) encoding, with or without padding, but > excluding whitespace [RFC4648]. > > > This accepts authentication schemes that transmit a base64 blob instead of name=value pairs (such as BASIC, NTLM, NEGOTIATE). It also accepts dot-separated base64url blobs, as proposed in new specs such as JSON Web Tokens. > > I dropped<quoted-string> as I don't know where that came from. Perhaps it was added with<token> as they are often a pair. If there are no existing uses (and I don't know of any) it adds no value. > > I added<SP> as I understand HTTPbis is making a global change to be explicit with whitespace. > > This change would reopen ticket #195. Indeed. Best regards, Julian
Received on Friday, 1 April 2011 18:28:35 UTC