Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt

Julian Reschke <> Mon, 30 January 2012 13:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5601121F85D4 for <>; Mon, 30 Jan 2012 05:32:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.025
X-Spam-Status: No, score=-8.025 tagged_above=-999 required=5 tests=[AWL=2.574, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1sNahpcSCzpx for <>; Mon, 30 Jan 2012 05:32:17 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BA4A821F842C for <>; Mon, 30 Jan 2012 05:32:17 -0800 (PST)
Received: from lists by with local (Exim 4.69) (envelope-from <>) id 1RrrL4-0007iY-JB for; Mon, 30 Jan 2012 13:32:06 +0000
Received: from ([]) by with esmtp (Exim 4.69) (envelope-from <>) id 1RrrKt-0007hO-Rt for; Mon, 30 Jan 2012 13:31:55 +0000
Received: from ([]) by with smtp (Exim 4.72) (envelope-from <>) id 1RrrKs-0002p1-0s for; Mon, 30 Jan 2012 13:31:55 +0000
Received: (qmail invoked by alias); 30 Jan 2012 13:31:27 -0000
Received: from (EHLO []) [] by (mp038) with SMTP; 30 Jan 2012 14:31:27 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18XXJxzmr4XfImH8YVRvVdmJVSYZ2Zo6agvNU1ISk MHzSaPS2cE6Ldy
Message-ID: <>
Date: Mon, 30 Jan 2012 14:31:20 +0100
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: "Manger, James H" <>
CC: HTTP Working Group <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1RrrKs-0002p1-0s b542bd43231e45c914fdf4fc84795036
Subject: Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt
Archived-At: <>
X-Mailing-List: <> archive/latest/12262
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>
Resent-Message-Id: <>
Resent-Date: Mon, 30 Jan 2012 13:32:06 +0000

On 2012-01-30 02:22, Manger, James H wrote:
> Quick comment on draft-reschke-basicauth-enc-04.txt "An Encoding Parameter for HTTP Basic Authentication":
> The text about not including the 'encoding' parameter when sending the password is a bit confusing [section 3].
>     For credentials sent by the user agent, the "encoding" parameter is
>     reserved for future use and MUST NOT be sent.
>     The reason for this is that the information that could be included
>     does not seem to be useful to the server, but the additional
>     complexity of parsing and processing the additional parameter might
>     make this extension harder to deploy.
> My guess is that the spec intended to say that including the encoding information *would* be useful, but it cannot be added easily. This is a good illustration of the 3rd dot point from "2.3.1 Considerations for new Authentication Schemes" [draft-ietf-httpbis-p7-auth-18#section-2.3.1]: "b64token ... can only be used once ... future extensions will be impossible".

Actually, this text was written long before we fixed the auth-param 
grammar in HTTPbis, and I just forgot about the outcome.

> My suggested replacement for these 2 paragraphs:
>     Note: The 'encoding' parameter cannot be included when sending
>     credentials (eg in the Authorization header) as the "Basic" scheme
>     uses a single base64 token for that ('b64token' syntax), not a
>     parameter list ('#auth-param' syntax)
>     [draft-ietf-httpbis-p7-auth-18#section-2.1].

+1. Thanks for catching this!

> P.S. What are the odds that everyone treats the following lines as exactly equivalent to the example of encoding="UTF-8" as they are supposed to?
>    encoding=UTF-8
>    Encoding="utf\-8"

Dunno. Examples. Test cases. Etc.

My experience is that once you publish test cases and report on browser 
compliance, browsers actually get fixed. (And yes, sometimes this means 
fixing them myself :-)-

One alternative would be to special case this one (ugh!), or to change 
the defaults HTTP-wide (ugh!).

Best regards, Julian