Re: [http-auth] I-D Action: draft-ietf-httpauth-digest-10.txt
Julian Reschke <julian.reschke@gmx.de> Thu, 15 January 2015 16:42 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A68371B2DC7 for <http-auth@ietfa.amsl.com>; Thu, 15 Jan 2015 08:42:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7j3b3x2LTPb6 for <http-auth@ietfa.amsl.com>; Thu, 15 Jan 2015 08:42:19 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 056951B2DD2 for <http-auth@ietf.org>; Thu, 15 Jan 2015 08:42:19 -0800 (PST)
Received: from [192.168.1.194] ([217.91.35.233]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MhhwJ-1YO7YZ3A15-00MrOi; Thu, 15 Jan 2015 17:42:17 +0100
Message-ID: <54B7EDE1.2090208@gmx.de>
Date: Thu, 15 Jan 2015 17:42:09 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "http-auth@ietf.org" <http-auth@ietf.org>
References: <20150110194214.31253.86620.idtracker@ietfa.amsl.com> <CAGL6ep+yOHb461bBDCey+ycwpCxJ_z0NsgE1YGso2Q-kQU-GDw@mail.gmail.com>
In-Reply-To: <CAGL6ep+yOHb461bBDCey+ycwpCxJ_z0NsgE1YGso2Q-kQU-GDw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:/Huh8nY5w9hy8GuTkp0NkkuSqdl6KnknBi4NVzkcLY3W/zh/7UQ 95d0wE8rW/vTnNSSnwC2D3yuQN8PR/fW2INZZCZ0x8dn1YEctj9miHbGlPPzTAKFwG+3hAm 5nT69oM8Lr6DMgtV+9/OJQ3AMN1lLap+eECmQm0CACPgAg+js57U0bhDtAHYcACYGrdkbZl F8+SIPod7ZpCooGOyyTww==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/53o1bHTe71Vk-SyGkQSB_0vmgfk>
Subject: Re: [http-auth] I-D Action: draft-ietf-httpauth-digest-10.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 16:42:28 -0000
On 2015-01-10 20:45, Rifaat Shekh-Yusef wrote:
> Hi,
>
> We think that with version -10 we have addressed all the comments we
> received so far.
> Please, take a look and let us know if we missed anything or if you have
> any further comments.
>
> Thanks,
> Rifaat
> ...
I had a quick glance at the I18N related stuff, and it still doesn't work.
Section 3.1:
Some or all of the parameters used in the various headers fields used
by this document can be sent using the [RFC5987] encoding.
That's not really helpful. You really need to state which.
Section 3.9.2:
The following example assumes that an access protected document is
being requested from the server via a GET request. The URI for the
request is "http://api.example.org/doe.json". Both client and server
know the userhash of the username, support the UTF-8 character
encoding scheme, and use the SHA-512-256 algorithm. The username for
the request is "Jaesoen Doe" and the password is "Secret, or not?".
The following example assumes that an access protected document is
being requested from the server via a GET request. The URI for the
request is "http://api.example.org/doe.json". Both client and server
know the userhash of the username, support the UTF-8 character
encoding scheme, and use the SHA-512-256 algorithm. The username for
the request is "Jaesoen Doe" and the password is "Secret, or not?".
The intent was to use a user name containing non-ASCII characters, but
that was helpfully (:-) converted away by xml2rfc. Non-ASCII examples in
IETF docs are currently hard. See
<http://greenbytes.de/tech/webdav/draft-ietf-httpauth-basicauth-update-latest.html#charset>
for an example how to workaround that limitation.
Section 4:
The only allowed value is "UTF-8", to be matched case-insensitively
(see [RFC2978], Section 2.3). It indicates that the server expects
user name and password to be converted to Unicode Normalization Form
C ("NFC", see Section 3 of [RFC5198]) and to be encoded into octets
using the UTF-8 character encoding scheme ([RFC3629]), ), and percent
escaped in extended notation ([RFC5987]).
I don't believe RFC 5987 applies here at all; but maybe I'm missing
something.
Best regards, Julian
- [http-auth] I-D Action: draft-ietf-httpauth-diges… internet-drafts
- Re: [http-auth] I-D Action: draft-ietf-httpauth-d… Rifaat Shekh-Yusef
- Re: [http-auth] I-D Action: draft-ietf-httpauth-d… Julian Reschke
- Re: [http-auth] I-D Action: draft-ietf-httpauth-d… Julian Reschke
- Re: [http-auth] I-D Action: draft-ietf-httpauth-d… Sophie Bremer
- Re: [http-auth] I-D Action: draft-ietf-httpauth-d… Julian Reschke