IETF Logo Mail Archive

Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt

Michael Sweet <msweet@apple.com> Wed, 03 December 2014 16:15 UTC

Return-Path: <msweet@apple.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3A641A1B9B for <http-auth@ietfa.amsl.com>; Wed, 3 Dec 2014 08:15:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h46RAHng4j_W for <http-auth@ietfa.amsl.com>; Wed, 3 Dec 2014 08:15:11 -0800 (PST)
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 658E91A1BF0 for <http-auth@ietf.org>; Wed, 3 Dec 2014 08:15:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1417623301; x=2281536901; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=5ob4FAsi05Q3AqVaDAg8lJmaANV1u4RW+lEIaUqR9JQ=; b=EbI2h+TOnC/WA/LTRKTJPS3bsAg42ELl/D//hwb78Jw7oYOGGCYIlxX5XZ+1pDBG VgEKuTQkSoUjOA123IqzNbyWhMUqAcq9z1ZWwx5Xw3iKpgbC/9nkWdK8QdC1eTVu CXer6U+iDN4vrLJesFqYVBxWuQxgKcLpOOGUiPbbmTDkgbLotVYYLbkR9JV/WI/I 9AoAFNZ8Ovgm7CA7yt9CsBFAgwNe9Q37sUuxwFT2jqOfnK/Bd1EnnfsttpEUl3fg uQ/QdEOoAQEA1SVAQ753ig/I3ZwAkTs2kD2tMBb+FaEqx34tdwEulk9DFOi0XRel 9bTBnjsi9Yn5KESAI/PULQ==;
Received: from relay3.apple.com (relay3.apple.com [17.128.113.83]) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id 1A.5C.12968.5073F745; Wed, 3 Dec 2014 08:15:01 -0800 (PST)
X-AuditID: 11973e12-f79306d0000032a8-5d-547f37055104
Received: from cardamom.apple.com (cardamom.apple.com [17.128.115.94]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay3.apple.com (Apple SCV relay) with SMTP id 25.DE.05439.B073F745; Wed, 3 Dec 2014 08:15:07 -0800 (PST)
Received: from [17.153.21.172] by cardamom.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NG0000T8L4YCN40@cardamom.apple.com> for http-auth@ietf.org; Wed, 03 Dec 2014 08:15:01 -0800 (PST)
MIME-version: 1.0 (Mac OS X Mail 8.1 \(1993\))
Content-type: multipart/signed; boundary="Apple-Mail=_BFF5C39D-A4EE-4ABD-A435-7F087E4298F8"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Michael Sweet <msweet@apple.com>
In-reply-to: <60D2DF51-5CD9-4A55-8031-4F974C0F8DF9@gmail.com>
Date: Wed, 03 Dec 2014 11:14:58 -0500
Message-id: <61D95DD7-42F3-4483-8C72-E29C16180C56@apple.com>
References: <20141202111608.27803.85751.idtracker@ietfa.amsl.com> <60D2DF51-5CD9-4A55-8031-4F974C0F8DF9@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
X-Mailer: Apple Mail (2.1993)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOLMWRmVeSWpSXmKPExsUi2FAYrMtqXh9iMGmKtsWH/XOYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcehaYMHTgIqL3a3MDYzTvLoYOTkkBEwkJq7dzwphi0lcuLee rYuRi0NIYC+jxPe23YwwRWv2vmKCSExkkpja/pMFwvnDKPGmYx8zSJWwQJLE+RkXwWxeAT2J piePwTqYBaYwSkx/tJIdJMEmoCbxe1If2D5OAVuJ5/t/g9ksAqoSKx7MAGtmFlCXWD7lBdQg G4lHr64xgdhCAiUSc9b9BjtJREBJ4vCVr8wQ58lK/Lt4hh1kmYTACjaJW28eM01gFJqF5JBZ yA6ZBbZEW2LZwtfMsxg5gGwdickLGSHCphJP3m5ng7CtJX7OeQQVV5SY0v2QfQEj+ypGodzE zBzdzDwTvcSCgpxUveT83E2MoJiYbie0g/HUKqtDjAIcjEo8vA+i60KEWBPLiitzDzFKc7Ao ifPuVwQKCaQnlqRmp6YWpBbFF5XmpBYfYmTi4JRqYFR+/uF1sM2LZ68Cv317fzybIVD6bNB9 S1aR977SxZ/OZjg2n7KWeRLq6+ptmn07N3zqOY/gd4wloRc+im1mzvBd+m/urSrD3IA9VUcL dXjfSlkvvN94c1NK2Z1tE/XEP6lG+r+Lbt30dfmT0loD27V1JtJxazTYD3zqMJK+8Dil+HIl 32y9YCWW4oxEQy3mouJEAJTmcAhqAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGLMWRmVeSWpSXmKPExsUi2FAcp8ttXh9isOe0rMWH/XOYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcehaYMHTgIqL3a3MDYzTvLoYOTkkBEwk1ux9xQRhi0lcuLee rYuRi0NIYCKTxNT2nywQzh9GiTcd+5hBqoQFkiTOz7gIZvMK6Ek0PXnMBFLELDCFUWL6o5Xs IAk2ATWJ35P6WEFsTgFbief7f4PZLAKqEisezABrZhZQl1g+5QXUIBuJR6+ugZ0hJFAiMWfd b0YQW0RASeLwla/MEOfJSvy7eIZ9AiP/LCS7ZyHbPQtsrrbEsoWvmWcxcgDZOhKTFzJChE0l nrzdzgZhW0v8nPMIKq4oMaX7IfsCRvZVjAJFqTmJlcZ6iQUFOal6yfm5mxjBIVwYvIPxzzKr Q4wCHIxKPLwPoutChFgTy4orcw8xqgCNeLRh9QVGKZa8/LxUJRHeZ9+A0rwpiZVVqUX58UWl OanFhxilOViUxHknqgClBNITS1KzU1MLUotgskwcnFINjKrMM9wWH3kyXYTdbdLTFedSZffc WuGrbPPu0E5bnYvhKkbph7z1hW5Z9q6pu6F3obJG/UWHw4lTYnyl1q3HUyPNX9re7eRT4/Zd /u7/fv/N3bVVfhpL5m1td5FfFz07IbBW4OU1+4sFWfxHEn67eCmbuR6+dTLA2PTz1l6+AK2N GoJyrXeqlViKMxINtZiLihMBwpOMumkCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/fJaFTOlXqzFWODo-P_qFw01WZcI
Cc: IETF HTTP Auth <http-auth@ietf.org>
Subject: Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 16:15:26 -0000

My comments:

- Section 2 makes the "charset" parameter OPTIONAL. I'm wondering if this should be RECOMMENDED in order to encourage adoption of UTF-8 usernames and passwords since that solves common deployment and interop issues.

- Section 2.1 uses "can" (servers can use the "charset" authentication parameter...) If "charset" is OPTIONAL in section 2, I think this should be "MAY" (servers MAY use ...), and if RECOMMENDED this should be "SHOULD" (servers SHOULD use ...), although then you'd want to clarify that it is a SHOULD when using UTF-8...

- Section 4 doesn't talk about using TLS/HTTPS, which is a common method for providing some level of protection for the cleartext password in transit.  It might be sufficient to simply expand on "enhancements", e.g.:

   Because Basic authentication involves the cleartext transmission of
   passwords it SHOULD NOT be used (without enhancements such as HTTPS [RFC2818])
   to protect sensitive or valuable information.

  with a corresponding informative reference to RFC 2818 in section 7.2.  That at least provides a pointer without endorsing Basic + HTTPS as a "secure" combination...



> On Dec 2, 2014, at 6:19 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> 
> Thank you, Julian
> 
> This begins a 2-week WGLC for this document.
> 
> Please take the time to read through and post any comments to the list.
> 
> Cheers
> 
> Matt & Yoav
> 
>> On Dec 2, 2014, at 1:16 PM, internet-drafts@ietf.org wrote:
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Hypertext Transfer Protocol Authentication Working Group of the IETF.
>> 
>>       Title           : The 'Basic' HTTP Authentication Scheme
>>       Author          : Julian F. Reschke
>> 	Filename        : draft-ietf-httpauth-basicauth-update-03.txt
>> 	Pages           : 14
>> 	Date            : 2014-12-02
>> 
>> Abstract:
>>  This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
>>  Authentication Scheme, which transmits credentials as userid/password
>>  pairs, obfuscated by the use of Base64 encoding.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-httpauth-basicauth-update/
>> 
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-ietf-httpauth-basicauth-update-03
>> 
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-ietf-httpauth-basicauth-update-03
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> 
>> _______________________________________________
>> http-auth mailing list
>> http-auth@ietf.org
>> https://www.ietf.org/mailman/listinfo/http-auth
> 
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

v2.23.0 | Report a Bug | By Email