Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt from Julian Reschke on 2012-01-30 (ietf-http-wg@w3.org from January to March 2012)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 30 Jan 2012 14:31:20 +0100
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4F269BA8.3020508@gmx.de>

On 2012-01-30 02:22, Manger, James H wrote:
> Quick comment on draft-reschke-basicauth-enc-04.txt "An Encoding Parameter for HTTP Basic Authentication":
>
> The text about not including the 'encoding' parameter when sending the password is a bit confusing [section 3].
>
>     For credentials sent by the user agent, the "encoding" parameter is
>     reserved for future use and MUST NOT be sent.
>
>     The reason for this is that the information that could be included
>     does not seem to be useful to the server, but the additional
>     complexity of parsing and processing the additional parameter might
>     make this extension harder to deploy.
>
>
> My guess is that the spec intended to say that including the encoding information *would* be useful, but it cannot be added easily. This is a good illustration of the 3rd dot point from "2.3.1 Considerations for new Authentication Schemes" [draft-ietf-httpbis-p7-auth-18#section-2.3.1]: "b64token ... can only be used once ... future extensions will be impossible".

Actually, this text was written long before we fixed the auth-param 
grammar in HTTPbis, and I just forgot about the outcome.

> My suggested replacement for these 2 paragraphs:
>
>     Note: The 'encoding' parameter cannot be included when sending
>     credentials (eg in the Authorization header) as the "Basic" scheme
>     uses a single base64 token for that ('b64token' syntax), not a
>     parameter list ('#auth-param' syntax)
>     [draft-ietf-httpbis-p7-auth-18#section-2.1].

+1. Thanks for catching this!

> P.S. What are the odds that everyone treats the following lines as exactly equivalent to the example of encoding="UTF-8" as they are supposed to?
>    encoding=UTF-8
>    Encoding="utf\-8"

Dunno. Examples. Test cases. Etc.

My experience is that once you publish test cases and report on browser 
compliance, browsers actually get fixed. (And yes, sometimes this means 
fixing them myself :-)-

One alternative would be to special case this one (ugh!), or to change 
the defaults HTTP-wide (ugh!).

Best regards, Julian

Received on Monday, 30 January 2012 13:31:55 UTC