Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt
Benjamin Kaduk <kaduk@MIT.EDU> Fri, 05 December 2014 17:22 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57C301A0235 for <http-auth@ietfa.amsl.com>; Fri, 5 Dec 2014 09:22:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.211
X-Spam-Level:
X-Spam-Status: No, score=-6.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hwLz_GKeJmGE for <http-auth@ietfa.amsl.com>; Fri, 5 Dec 2014 09:22:06 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA0CA1AD424 for <http-auth@ietf.org>; Fri, 5 Dec 2014 09:22:00 -0800 (PST)
X-AuditID: 1209190f-f79716d000000d1a-fe-5481e9b72ede
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id CB.B7.03354.7B9E1845; Fri, 5 Dec 2014 12:21:59 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id sB5HLx7N002493 for <http-auth@ietf.org>; Fri, 5 Dec 2014 12:21:59 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sB5HLvI5017615 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <http-auth@ietf.org>; Fri, 5 Dec 2014 12:21:59 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id sB5HLvSo009944; Fri, 5 Dec 2014 12:21:57 -0500 (EST)
Date: Fri, 05 Dec 2014 12:21:57 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: IETF HTTP Auth <http-auth@ietf.org>
In-Reply-To: <60D2DF51-5CD9-4A55-8031-4F974C0F8DF9@gmail.com>
Message-ID: <alpine.GSO.1.10.1412051146120.23489@multics.mit.edu>
References: <20141202111608.27803.85751.idtracker@ietfa.amsl.com> <60D2DF51-5CD9-4A55-8031-4F974C0F8DF9@gmail.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOIsWRmVeSWpSXmKPExsUixCmqrLv9ZWOIwdKXVhYf9s9hcmD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxr+uk+wFewQrJs2cy9zA+J+3i5GTQ0LAROLz+TPMELaYxIV7 69m6GLk4hAQWM0msur6ICcI5ySgx5eBydgjnFpPEmy832UBahATqJU72LWQFsVkEtCT+nTvC BGKzCahIzHyzEaxGREBd4tW6fewgtrBAksT5GRfB1nEK2Ep0/TsJ1ssr4CjRcOQsI8TMIomj m5aC2aICOhKr909hgagRlDg58wmYzQy0a/n0bSwTGAVmIUnNQpJawMi0ilE2JbdKNzcxM6c4 NVm3ODkxLy+1SNdELzezRC81pXQTIzj8JPl3MH47qHSIUYCDUYmHd4VEY4gQa2JZcWXuIUZJ DiYlUd6rT4BCfEn5KZUZicUZ8UWlOanFhxglOJiVRHiTZwPleFMSK6tSi/JhUtIcLErivJt+ 8IUICaQnlqRmp6YWpBbBZGU4OJQkeHe/AGoULEpNT61Iy8wpQUgzcXCCDOcBGv4EpIa3uCAx tzgzHSJ/ilFRSpx3CUhCACSRUZoH1wtLD68YxYFeEeblBCYLIR5gaoHrfgU0mAlo8N1isMEl iQgpqQZGlv4E9cUmJdN++ubalH9dfi7gRcOFm0vslt0Uu9qSc//hLKMytWn/vbdNz7M7ovMs M3lD0Y8kTRlOl8MG266IHP7z0veh4qycVR8uf/41ie+8zM+FK3Ld7vw5yHFkivin/fP75tQv Mi5RumM3s2bJPOl7KSu12v9pSTXtEF7y4k30rdBFrnsOliixFGckGmoxFxUnAgDZaLLw6gIA AA==
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/ZiOBP7xk3zsdJwhBTh0pZNRoezo
Subject: Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2014 17:22:07 -0000
On Tue, 2 Dec 2014, Yoav Nir wrote: > Thank you, Julian > > This begins a 2-week WGLC for this document. > > Please take the time to read through and post any comments to the list. My apologies if this has already been covered, but the abstract includes the phrase "obfuscated by the use of Base64 encoding" (the introduction includes similar content). It looks like this was introduced in the -01, and the on-list discussion of the -00 didn't really talk about it -- there was a note from Bjoern that the abstract "could use another sentence stating what the `Basic` scheme is", but the word "obfuscate" did not appear. As such, I thought I would mention it now -- it's not really clear that Base64 encoding counts as obfuscation in this context, where the HTTP headers make it very clear that the userid/password are being conveyed. I think the submission checklist wants the abstract (and introduction?) to explicitly mention when an RFC is being updated or obsoleted. Relatedly, the first clause of the introduction says that this document defines "basic", but the citation to RFC 7235 could be read as if it is a citation for "basic" (as opposed to HTTP Authentication); perhaps this is better: % This document defines "Basic" as a Hypertext Transfer Protocol (HTTP) % Authentication Scheme ([RFC7235]), which transmits credentials as % Base64-encoded userid/password pairs. Section 3 says that "Senders can use the new 'charset' parameter", but it seems that only servers can do so. Was this intended to say "Servers" instead of "Senders"? Section for says that the transmission of the password is "essentially cleartext", whereas section 1 just says that it is "cleartext". Which is it? Grammar nits: In section 2: % 1. obtains userid and password from the user, I would add the definite article "the" before "userid" to match the other items. In the paragraph following that list, I would s/compatible to/compatible with/. In the paragraph following that paragraph, you could add "The" at the beginning to avoid starting the sentence with the identifier "userid" (and the ensuing debate about whether to capitalize the initial letter). -Ben
- [http-auth] I-D Action: draft-ietf-httpauth-basic… internet-drafts
- [http-auth] Working Group Last Call for draft-iet… Yoav Nir
- Re: [http-auth] Working Group Last Call for draft… Michael Sweet
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Michael Sweet
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Yoav Nir
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Yoav Nir
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Benjamin Kaduk
- Re: [http-auth] Working Group Last Call for draft… Peter Saint-Andre - &yet
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke
- Re: [http-auth] Working Group Last Call for draft… Benjamin Kaduk
- Re: [http-auth] Working Group Last Call for draft… Julian Reschke