IETF Logo Mail Archive

Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt

Julian Reschke <julian.reschke@gmx.de> Fri, 05 December 2014 18:52 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CDC81A1B4E for <http-auth@ietfa.amsl.com>; Fri, 5 Dec 2014 10:52:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzedwhM9tr66 for <http-auth@ietfa.amsl.com>; Fri, 5 Dec 2014 10:52:35 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEB671AD55F for <http-auth@ietf.org>; Fri, 5 Dec 2014 10:52:34 -0800 (PST)
Received: from [192.168.2.160] ([93.217.106.159]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M03qC-1XiRo82cwu-00uJmi; Fri, 05 Dec 2014 19:52:30 +0100
Message-ID: <5481FEE1.8070403@gmx.de>
Date: Fri, 05 Dec 2014 19:52:17 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@MIT.EDU>, IETF HTTP Auth <http-auth@ietf.org>
References: <20141202111608.27803.85751.idtracker@ietfa.amsl.com> <60D2DF51-5CD9-4A55-8031-4F974C0F8DF9@gmail.com> <alpine.GSO.1.10.1412051146120.23489@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1412051146120.23489@multics.mit.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:I6I0i5k8WtTGkWu+mhr6hIC4t8ZAKksyqck7xICug5ayfFhJ3vn LtNREVideR6v6thnsCFyfUc7JcqxhIhDa7r0wqJ8dNiSHxHFsqQB40mswfUmurHKEqK/k/G 7GUeJagQPJTs1VJb5B4YxcttbXXO+dpbayQ7rJY1NCyCU0fdzmTc1aKvKYI3/qmK7zgGbNW AHKWRcGQtI9KwMy2NtP4Q==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/tCnc4DPAkTF-Bdhy5m75gEy5FCg
Subject: Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2014 18:52:37 -0000

On 2014-12-05 18:21, Benjamin Kaduk wrote:
> On Tue, 2 Dec 2014, Yoav Nir wrote:
>
>> Thank you, Julian
>>
>> This begins a 2-week WGLC for this document.
>>
>> Please take the time to read through and post any comments to the list.
>
> My apologies if this has already been covered, but the abstract includes
> the phrase "obfuscated by the use of Base64 encoding" (the introduction
> includes similar content).  It looks like this was introduced in the -01,
> and the on-list discussion of the -00 didn't really talk about it -- there
> was a note from Bjoern that the abstract "could use another sentence
> stating what the `Basic` scheme is", but the word "obfuscate" did not
> appear.  As such, I thought I would mention it now -- it's not really
> clear that Base64 encoding counts as obfuscation in this context, where
> the HTTP headers make it very clear that the userid/password are being
> conveyed.

I think that "obfuscate" pretty much nails it.

> I think the submission checklist wants the abstract (and introduction?) to
> explicitly mention when an RFC is being updated or obsoleted.  Relatedly,

I've heart that before, but I also heard the opposite at some other 
point. I'll wait for the IESG feedback on this.

> the first clause of the introduction says that this document defines
> "basic", but the citation to RFC 7235 could be read as if it is a citation
> for "basic" (as opposed to HTTP Authentication); perhaps this is better:
>
> % This document defines "Basic" as a Hypertext Transfer Protocol (HTTP)
> % Authentication Scheme ([RFC7235]), which transmits credentials as
> % Base64-encoded userid/password pairs.

Concern understood, but now the "which" applies to the wrong term.

I'll try to address this differently.

> Section 3 says that "Senders can use the new 'charset' parameter", but it
> seems that only servers can do so.  Was this intended to say "Servers"
> instead of "Senders"?

I believe my intent was to include proxies, but then, "server" includes 
proxies too.

> Section for says that the transmission of the password is "essentially
> cleartext", whereas section 1 just says that it is "cleartext".  Which is
> it?

I'll remove the "essentially" from the Security Considerations.

> Grammar nits:
>
>
> In section 2:
>
> % 1.  obtains userid and password from the user,
>
> I would add the definite article "the" before "userid" to match the other
> items.

ack.

> In the paragraph following that list, I would s/compatible to/compatible
> with/.

ack.

> In the paragraph following that paragraph, you could add "The" at the
> beginning to avoid starting the sentence with the identifier "userid" (and
> the ensuing debate about whether to capitalize the initial letter).

Thanks a lot for the feedback!

-> <http://trac.tools.ietf.org/wg/httpauth/trac/changeset/89>

Best regards, Julian

v2.23.0 | Report a Bug | By Email