Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt
Benjamin Kaduk <kaduk@MIT.EDU> Fri, 05 December 2014 22:08 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1261A6F3E for <http-auth@ietfa.amsl.com>; Fri, 5 Dec 2014 14:08:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NW12YnkbZAk for <http-auth@ietfa.amsl.com>; Fri, 5 Dec 2014 14:08:49 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF4901A6F3B for <http-auth@ietf.org>; Fri, 5 Dec 2014 14:08:41 -0800 (PST)
X-AuditID: 1209190d-f79006d000000cfe-fd-54822ce85438
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 1A.27.03326.8EC22845; Fri, 5 Dec 2014 17:08:40 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id sB5M8do5016288; Fri, 5 Dec 2014 17:08:40 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sB5M8b4u008867 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 5 Dec 2014 17:08:39 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id sB5M8bNd017275; Fri, 5 Dec 2014 17:08:37 -0500 (EST)
Date: Fri, 05 Dec 2014 17:08:37 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <5481FEE1.8070403@gmx.de>
Message-ID: <alpine.GSO.1.10.1412051706330.23489@multics.mit.edu>
References: <20141202111608.27803.85751.idtracker@ietfa.amsl.com> <60D2DF51-5CD9-4A55-8031-4F974C0F8DF9@gmail.com> <alpine.GSO.1.10.1412051146120.23489@multics.mit.edu> <5481FEE1.8070403@gmx.de>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixCmqrPtCpynEYNInVYsP++cwWWx++IbV gcnjw8c4jyVLfjIFMEVx2aSk5mSWpRbp2yVwZdy9OZe94CJ/xbJfs1gbGDfxdDFyckgImEjc /bSaHcIWk7hwbz1bFyMXh5DAYiaJju4WFghnA6PE4VUvGSGcg0wSd89sYgFpERKol9g1dxUb iM0ioCWxZe4FZhCbTUBFYuabjWBxEaD47Xt7GUFsZgF1ieWvLoPZwgJJEudnXASr5xRQk5jz 4wmYzSvgKHHs92GoMw4xSjx9sBZskKiAjsTq/VNYIIoEJU7OfMICMVRLYvn0bSwTGAVnIUnN QpJawMi0ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdILzezRC81pXQTIzhUJXl3ML47qHSIUYCD UYmHd4VEY4gQa2JZcWXuIUZJDiYlUV5JxaYQIb6k/JTKjMTijPii0pzUYqArOZiVRHiTZwOV 86YkVlalFuXDpKQ5WJTEeTf94AsREkhPLEnNTk0tSC2CycpwcChJ8HZpAw0VLEpNT61Iy8wp QUgzcXCCDOcBGj4XpIa3uCAxtzgzHSJ/ilFRSpw3GiQhAJLIKM2D64WlkleM4kCvCPP+A6ni AaYhuO5XQIOZgAbfLQa5urgkESEl1cDIKBmRMGuC6pWDb7/Wb7Ow9PZ9pprtOI9PnevsrsgV SaqRCS+bTZw+LLb6NIOheZfWip/JCZeZryU03JpSt/8Ea52zxPEPXt5qDseEP6Txc/+XTpKf t9hIul1ay2TOz1mHzKROv9uRoHt3+hTHa+uK+z/fatlQMts2gnGZ06S8Bdzfbgle7XiixFKc kWioxVxUnAgA/PrnEQADAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/SXCNazw3-q7C2-29Uyvb6hrv2yI
Cc: IETF HTTP Auth <http-auth@ietf.org>
Subject: Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2014 22:08:51 -0000
On Fri, 5 Dec 2014, Julian Reschke wrote: > > My apologies if this has already been covered, but the abstract includes > > the phrase "obfuscated by the use of Base64 encoding" (the introduction > > includes similar content). It looks like this was introduced in the -01, > > and the on-list discussion of the -00 didn't really talk about it -- there > > was a note from Bjoern that the abstract "could use another sentence > > stating what the `Basic` scheme is", but the word "obfuscate" did not > > appear. As such, I thought I would mention it now -- it's not really > > clear that Base64 encoding counts as obfuscation in this context, where > > the HTTP headers make it very clear that the userid/password are being > > conveyed. > > I think that "obfuscate" pretty much nails it. I would hope you think so, given that you wrote it :) I do not have strong feelings, myself, but it does seem like something that should at least be discussed on the list, since there is some reason to believe that people with strong opinions do exist. > > I think the submission checklist wants the abstract (and introduction?) to > > explicitly mention when an RFC is being updated or obsoleted. Relatedly, > > I've heart that before, but I also heard the opposite at some other point. > I'll wait for the IESG feedback on this. Sure, no particular hurry. > > the first clause of the introduction says that this document defines > > "basic", but the citation to RFC 7235 could be read as if it is a citation > > for "basic" (as opposed to HTTP Authentication); perhaps this is better: > > > > % This document defines "Basic" as a Hypertext Transfer Protocol (HTTP) > > % Authentication Scheme ([RFC7235]), which transmits credentials as > > % Base64-encoded userid/password pairs. > > Concern understood, but now the "which" applies to the wrong term. > > I'll try to address this differently. Thanks -- I was not super-happy with my new text, either. -Ben
- [http-auth] I-D Action: draft-ietf-httpauth-basic… internet-drafts
- [http-auth] Working Group Last Call for draft-iet… Yoav Nir
- Re: [http-auth] Working Group Last Call for draft… Michael Sweet
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Michael Sweet
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Yoav Nir
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Yoav Nir
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Benjamin Kaduk
- Re: [http-auth] Working Group Last Call for draft… Peter Saint-Andre - &yet
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Benjamin Kaduk
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke