Re: WGLC p7: Parsing auth challenges

Julian Reschke <julian.reschke@gmx.de> Tue, 30 April 2013 11:45 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57F4021F9BE3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Apr 2013 04:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N10G3e7fL4BS for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Apr 2013 04:45:16 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id B920F21F9BEA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 30 Apr 2013 04:45:16 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UX8yV-0001HB-W4 for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 11:44:00 +0000
Resent-Date: Tue, 30 Apr 2013 11:43:59 +0000
Resent-Message-Id: <E1UX8yV-0001HB-W4@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1UX8yJ-0001Cj-NP for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 11:43:47 +0000
Received: from mout.gmx.net ([212.227.15.15]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1UX8yI-0001qE-Pr for ietf-http-wg@w3.org; Tue, 30 Apr 2013 11:43:47 +0000
Received: from mailout-de.gmx.net ([10.1.76.28]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0MHJbp-1UJ6LF33Y3-00E655 for <ietf-http-wg@w3.org>; Tue, 30 Apr 2013 13:43:18 +0200
Received: (qmail invoked by alias); 30 Apr 2013 11:43:18 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.105]) [217.91.35.233] by mail.gmx.net (mp028) with SMTP; 30 Apr 2013 13:43:18 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19PGvpvrZJPKuR5tLc5qWAoYM6yBTJu9hn+ys54RM uGzuqUCrhlYOIu
Message-ID: <517FAE54.5070801@gmx.de>
Date: Tue, 30 Apr 2013 13:43:16 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <8F6FB0A1-4D7E-4847-92A7-14B240FAC23A@niven-jenkins.co.uk>
In-Reply-To: <8F6FB0A1-4D7E-4847-92A7-14B240FAC23A@niven-jenkins.co.uk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=212.227.15.15; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.450, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UX8yI-0001qE-Pr 21f4b086d622cbc162ba204b08a48208
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WGLC p7: Parsing auth challenges
Archived-At: <http://www.w3.org/mid/517FAE54.5070801@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17723
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 2013-04-29 20:55, Ben Niven-Jenkins wrote:
> Hi,
>
> In sections 2.1 & 4.4 (and by reference 4.2) of p7 User Agents are guided to take "special care" when parsing WWW-Authenticate and/or Proxy-Authenticate header field values, but it is never plainly stated what that means.
>
>  From the grammar, it looks as if the critical distinction is that (ignoring any allowed whitespace for brevity):
>
> A sequence "," token "=" means we are now receiving a parameter to an existing challenge. This is guaranteed because the "=" and value are non-optional components of auth-param. (The grammar would be unresolvably ambiguous otherwise.)
>
> A sequence "," token and anything other than "=" means we are now receiving the start of a new challenge. This is guaranteed because token68 may not contain "," and token (for a following auth-param) may not be empty. (The grammar would be unresolvably ambiguous otherwise.)

Right (or something invalid).

> (And if we don't get something, after whitespace elimination, which is either the end of the header field value or a token after the ",", then the value is invalid and should be rejected.)

You could have an empty list entry, such as in

  WWW-Authenticate: Basic realm="foo", , Basic realm="bar"

> If that interpretation is correct, it would be helpful to state this clearly, rather than merely infer it. (And if that interpretation is not correct, clearly relying on inference alone is unreliable!)

The interpretation is correct. Can you make a more concrete proposal?

> There is perhaps still the question of whether in the face of multiple WWW/Proxy-Authenticate headers, the implied "," separating their values according to #rule is still allowed to operate at both levels of the grammar, or only at the outermost (#challenge) level.

Not sure about what you're asking. Can you provide an example?

Best regards, Julian