Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt

Julian Reschke <julian.reschke@gmx.de> Mon, 30 January 2012 13:32 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5601121F85D4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 30 Jan 2012 05:32:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.025
X-Spam-Level:
X-Spam-Status: No, score=-8.025 tagged_above=-999 required=5 tests=[AWL=2.574, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1sNahpcSCzpx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 30 Jan 2012 05:32:17 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BA4A821F842C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 30 Jan 2012 05:32:17 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1RrrL4-0007iY-JB for ietf-http-wg-dist@listhub.w3.org; Mon, 30 Jan 2012 13:32:06 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <julian.reschke@gmx.de>) id 1RrrKt-0007hO-Rt for ietf-http-wg@listhub.w3.org; Mon, 30 Jan 2012 13:31:55 +0000
Received: from mailout-de.gmx.net ([213.165.64.22]) by maggie.w3.org with smtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1RrrKs-0002p1-0s for ietf-http-wg@w3.org; Mon, 30 Jan 2012 13:31:55 +0000
Received: (qmail invoked by alias); 30 Jan 2012 13:31:27 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp038) with SMTP; 30 Jan 2012 14:31:27 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18XXJxzmr4XfImH8YVRvVdmJVSYZ2Zo6agvNU1ISk MHzSaPS2cE6Ldy
Message-ID: <4F269BA8.3020508@gmx.de>
Date: Mon, 30 Jan 2012 14:31:20 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <20120129152840.10536.93223.idtracker@ietfa.amsl.com> <4F2567DA.3060608@gmx.de> <255B9BB34FB7D647A506DC292726F6E114EAF1B768@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114EAF1B768@WSMSG3153V.srv.dir.telstra.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=213.165.64.22; envelope-from=julian.reschke@gmx.de; helo=mailout-de.gmx.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1RrrKs-0002p1-0s b542bd43231e45c914fdf4fc84795036
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt
Archived-At: <http://www.w3.org/mid/4F269BA8.3020508@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/12262
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1RrrL4-0007iY-JB@frink.w3.org>
Resent-Date: Mon, 30 Jan 2012 13:32:06 +0000

On 2012-01-30 02:22, Manger, James H wrote:
> Quick comment on draft-reschke-basicauth-enc-04.txt "An Encoding Parameter for HTTP Basic Authentication":
>
> The text about not including the 'encoding' parameter when sending the password is a bit confusing [section 3].
>
>     For credentials sent by the user agent, the "encoding" parameter is
>     reserved for future use and MUST NOT be sent.
>
>     The reason for this is that the information that could be included
>     does not seem to be useful to the server, but the additional
>     complexity of parsing and processing the additional parameter might
>     make this extension harder to deploy.
>
>
> My guess is that the spec intended to say that including the encoding information *would* be useful, but it cannot be added easily. This is a good illustration of the 3rd dot point from "2.3.1 Considerations for new Authentication Schemes" [draft-ietf-httpbis-p7-auth-18#section-2.3.1]: "b64token ... can only be used once ... future extensions will be impossible".

Actually, this text was written long before we fixed the auth-param 
grammar in HTTPbis, and I just forgot about the outcome.

> My suggested replacement for these 2 paragraphs:
>
>     Note: The 'encoding' parameter cannot be included when sending
>     credentials (eg in the Authorization header) as the "Basic" scheme
>     uses a single base64 token for that ('b64token' syntax), not a
>     parameter list ('#auth-param' syntax)
>     [draft-ietf-httpbis-p7-auth-18#section-2.1].

+1. Thanks for catching this!

> P.S. What are the odds that everyone treats the following lines as exactly equivalent to the example of encoding="UTF-8" as they are supposed to?
>    encoding=UTF-8
>    Encoding="utf\-8"

Dunno. Examples. Test cases. Etc.

My experience is that once you publish test cases and report on browser 
compliance, browsers actually get fixed. (And yes, sometimes this means 
fixing them myself :-)-

One alternative would be to special case this one (ugh!), or to change 
the defaults HTTP-wide (ugh!).

Best regards, Julian