Re: [http-auth] New Version Notification - draft-ietf-httpauth-basicauth-update-06.txt
Tony Hansen <tony@att.com> Fri, 13 February 2015 20:04 UTC
Return-Path: <tony@att.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64AF31A020B for <http-auth@ietfa.amsl.com>; Fri, 13 Feb 2015 12:04:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id goP-kpfpUYKh for <http-auth@ietfa.amsl.com>; Fri, 13 Feb 2015 12:04:02 -0800 (PST)
Received: from nbfkord-smmo06.seg.att.com (nbfkord-smmo06.seg.att.com [209.65.160.94]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7689D1A0248 for <http-auth@ietf.org>; Fri, 13 Feb 2015 12:04:02 -0800 (PST)
Received: from unknown [144.160.229.23] by nbfkord-smmo06.seg.att.com(mxl_mta-7.2.4-2) with SMTP id 1b85ed45.0.3007036.00-2018.8337309.nbfkord-smmo06.seg.att.com (envelope-from <tony@att.com>); Fri, 13 Feb 2015 20:04:02 +0000 (UTC)
X-MXL-Hash: 54de58b24256639e-05c1f1c5b556db322c57dbcc5057192298acd14a
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1DJWsF1015417 for <http-auth@ietf.org>; Fri, 13 Feb 2015 14:33:10 -0500
Received: from alpi132.aldc.att.com (alpi132.aldc.att.com [130.8.217.2]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1DJWm09013478 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <http-auth@ietf.org>; Fri, 13 Feb 2015 14:32:50 -0500
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi132.aldc.att.com (RSA Interceptor) for <http-auth@ietf.org>; Fri, 13 Feb 2015 19:32:37 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1DJWbbg012665 for <http-auth@ietf.org>; Fri, 13 Feb 2015 14:32:37 -0500
Received: from mailgw1.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1DJWTG0011998 for <http-auth@ietf.org>; Fri, 13 Feb 2015 14:32:30 -0500
Received: from txcdtl01ks8671.itservices.sbc.com (txcdtl01ks8671.itservices.sbc.com?[135.110.240.237](misconfigured sender)) by maillennium.att.com (mailgw1) with ESMTP id <20150213193228gw1000cebpe>; Fri, 13 Feb 2015 19:32:29 +0000
X-Originating-IP: [135.110.240.237]
Message-ID: <54DE514B.40506@att.com>
Date: Fri, 13 Feb 2015 14:32:27 -0500
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>
References: <20150212221549.22193.11309.idtracker@ietfa.amsl.com> <54DDAE8D.5040504@gmx.de> <CAHbuEH42Lyg2+sOaXcX+=4ewXrHDc4VVcdeXeT8ibRMJkPvyTQ@mail.gmail.com>
In-Reply-To: <CAHbuEH42Lyg2+sOaXcX+=4ewXrHDc4VVcdeXeT8ibRMJkPvyTQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040603010202040508060208"
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-AnalysisOut: [v=2.0 cv=ApVZKpBP c=1 sm=1 a=VXHOiMMwGAwA+y4G3/O+aw==:17 a]
X-AnalysisOut: [=mJp9S24oyUUA:10 a=UZBibCCZedwA:10 a=BLceEmwcHowA:10 a=zQP]
X-AnalysisOut: [7CpKOAAAA:8 a=0HtSIViG9nkA:10 a=48vgC7mUAAAA:8 a=3Ax1bbJ9Y]
X-AnalysisOut: [AWxzw3y3CMA:9 a=pILNOxqGKmIA:10 a=-74GIUBQk5IyT81U:21 a=No]
X-AnalysisOut: [56TQz6L0JTqIEw:21 a=pGLkceISAAAA:8 a=8vzdEilA8ptqiDjtGp4A:]
X-AnalysisOut: [9 a=_W_S_7VecoQA:10 a=nrNu-KWm1shQ4FDN:21 a=R8ojLcVm46ES4_]
X-AnalysisOut: [_t:21]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2014051901)]
X-MAIL-FROM: <tony@att.com>
X-SOURCE-IP: [144.160.229.23]
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/5XDEMOVxiO-cI_qFgHwOZsgyLhY>
Cc: "http-auth@ietf.org >> IETF HTTP Auth" <http-auth@ietf.org>
Subject: Re: [http-auth] New Version Notification - draft-ietf-httpauth-basicauth-update-06.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 20:04:05 -0000
On 2/13/15 4:29 AM, Kathleen Moriarty wrote: > Thank you, Julian. > > On Fri, Feb 13, 2015 at 2:58 AM, Julian Reschke <julian.reschke@gmx.de > <mailto:julian.reschke@gmx.de>> wrote: > > On 2015-02-12 23:15, internet-drafts@ietf.org > <mailto:internet-drafts@ietf.org> wrote: > > > A new version (-06) has been submitted for > draft-ietf-httpauth-basicauth-update: > http://www.ietf.org/internet-drafts/draft-ietf-httpauth-basicauth-update-06.txt > ... > > > This draft addresses most of the feedback received so far; I > posted it so the the IESG doesn't have to re-report things. > I read the document afresh from the beginning to the end. I consider it ready for publication. Minor nits below. None are showstoppers. Tony Hansen section 2 (add the before user-id, to parallel "the password"): < constructs the user-pass by concatenating user-id, a single colon < (":") character, and the password, -- > constructs the user-pass by concatenating the user-id, a single colon > (":") character, and the password, section 2.1 (change comma to semi-colon): < Note: The 'charset' is only defined on challenges, as "Basic" uses < a single token for credentials ('token68' syntax), thus the < credentials syntax isn't extensible. -- > Note: The 'charset' is only defined on challenges, as "Basic" uses > a single token for credentials ('token68' syntax); thus the > credentials syntax isn't extensible. Section 3 (add "a revision to"): < The "realm" parameter carries data that can be considered textual, < however [RFC7235] does not define a way to reliably transport non-US- < ASCII characters. This is a known issue that would need to be < addressed in that specification. -- > The "realm" parameter carries data that can be considered textual, > however [RFC7235] does not define a way to reliably transport non-US- > ASCII characters. This is a known issue that would need to be > addressed in a revision to that specification. Section 4 (add "other" to better clarify the use of "those sites"): < The owner or administrator of such a < system could therefore expose all users of the system to the risk of < unauthorized access to all those sites if this information is not < maintained in a secure fashion. -- > The owner or administrator of such a > system could therefore expose all users of the system to the risk of > unauthorized access to all those other sites if this information is not > maintained in a secure fashion. Section 4 (we'll soon have more than just Digest, so how about ...): < This type of attack is not possible with Digest < Authentication. -- > This type of attack is not possible with other authentication schemes, such as Digest > Authentication. or > This type of attack is not possible with Digest > Authentication, or other authentication schemes that do not send the credentials > directly. Section 6 (verb usage): < The internationalization problem with respect to the character < encoding scheme used for user-pass has been reported as a Mozilla bug < back in the year 2000 (see -- > The internationalization problem with respect to the character > encoding scheme used for user-pass was reported as a Mozilla bug > back in the year 2000 (see Section B.3 ("what" -> "which"): < Note that sites might even inspect the User-Agent header field < ([RFC7231], Section 5.5.3) to decide what character encoding scheme < to expect from the client. -- > Note that sites might even inspect the User-Agent header field > ([RFC7231], Section 5.5.3) to decide which character encoding scheme > to expect from the client.
- [http-auth] New Version Notification - draft-ietf… internet-drafts
- Re: [http-auth] New Version Notification - draft-… Kathleen Moriarty
- Re: [http-auth] New Version Notification - draft-… Julian Reschke
- Re: [http-auth] New Version Notification - draft-… Tony Hansen
- Re: [http-auth] New Version Notification - draft-… Julian Reschke