Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard
Bjoern Hoehrmann <derhoermi@gmx.net> Thu, 05 February 2015 22:49 UTC
Return-Path: <derhoermi@gmx.net>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EA5B1A8757; Thu, 5 Feb 2015 14:49:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16lqfWSJfhLa; Thu, 5 Feb 2015 14:49:06 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DEB11A710C; Thu, 5 Feb 2015 14:49:06 -0800 (PST)
Received: from netb ([89.204.135.27]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LnkiR-1XiEfB2DhH-00hvmF; Thu, 05 Feb 2015 23:49:04 +0100
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: ietf@ietf.org
Date: Thu, 05 Feb 2015 23:49:04 +0100
Message-ID: <kdr7da51k6t581cdppljqvdnf6401cjb4o@hive.bjoern.hoehrmann.de>
References: <20150205161049.4222.88369.idtracker@ietfa.amsl.com>
In-Reply-To: <20150205161049.4222.88369.idtracker@ietfa.amsl.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:IxeAv9WfYXC1ncjs3Cp3FVtT3WPrXslF8yczsfke3Qt/CDufcMq Hvk2aJSi43Y7DRYZpt4YfTCXGwXGLWrNWPT6UyX9f73g/Z6JOmP/DozqhpFc/O7l9vn9CDl md1BLNNVr+rZfcQakkOniUuDyCJR5q/fFFkajoVnTzHPqZoa8x/7gOPTSuWbEQan3Y8n+if ZZL4didr4k5zE54kYsk7w==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/AAlSL2BfSGitp8Iyyt64SIfl-hQ>
Cc: http-auth@ietf.org
Subject: Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2015 22:49:14 -0000
* The IESG wrote: >Abstract > > This document defines the "Basic" Hypertext Transfer Protocol (HTTP) > Authentication Scheme, which transmits credentials as userid/password > pairs, obfuscated by the use of Base64 encoding. I do not think the use of Base64 is intended as obfuscation and it seems misleading to me to describe it as such. (The Introduction has the same problem). In the Introduction: The "Basic" scheme previously was defined in Section 2 of [RFC2617]. This document updates the definition, and also addresses internationalization issues by introducing the "charset" authentication parameter (Section 2.1). I think "updates" is the wrong word considering the document is intended to "obsolete" RFC 2617. In section 2: The "Basic" authentication scheme is based on the model that the client needs to authenticate itself with a user-ID [...] The document switches between "user name", "username", "userid", and "user-ID". I think the "user-ID" forms should be replaced by one of the "name" forms. The realm value is an opaque string which can only be compared for equality with other realms on that server. RFC 7235 says "The realm value is a string, generally assigned by the origin server, that can have additional semantics specific to the authentication scheme." This seems contradictory (perhaps the intent is to say that for the particular case of Basic, the realm value is opaque in contrast to other schemes where it might not be opaque, but that is not clear from the text) and misleading (users make decisions based on the string, which often contains human readable text, so it's not really opaque to them). The original definition of this authentication scheme failed to specify the character encoding scheme used to convert the user-pass into an octet sequence. I think it would be more appropriate to say that it did not do so. That wasn't a particular "failure", sending unlabeled 8bit (and 7bit) content was normal at the time, in part because other system parts also did not know or care about character encodings. There should be an example for "no other authentication parameters are defined -- unknown parameters MUST be ignored by recipients", otherwise such extension points are too easily missed by implementers. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Bjoern Hoehrmann
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Bjoern Hoehrmann
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Alexey Melnikov
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Alexey Melnikov
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Bjoern Hoehrmann
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Barry Leiba
- [http-auth] Last Call: <draft-ietf-httpauth-basic… The IESG
- [http-auth] ignoring unknown parameters, Re: Last… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Tony Hansen
- Re: [http-auth] ignoring unknown parameters, Re: … Bjoern Hoehrmann
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Benjamin Kaduk
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Bjoern Hoehrmann
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Bjoern Hoehrmann
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Benjamin Kaduk
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Julian Reschke
- Re: [http-auth] Last Call: <draft-ietf-httpauth-b… Kathleen Moriarty