Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt

Julian Reschke <julian.reschke@gmx.de> Mon, 30 January 2012 17:30 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D57D21F86AA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 30 Jan 2012 09:30:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.993
X-Spam-Level:
X-Spam-Status: No, score=-7.993 tagged_above=-999 required=5 tests=[AWL=2.606, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4SBxvWOGhGH for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 30 Jan 2012 09:30:44 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BD15D21F867F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 30 Jan 2012 09:30:44 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Rrv2a-0000nj-N5 for ietf-http-wg-dist@listhub.w3.org; Mon, 30 Jan 2012 17:29:16 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <julian.reschke@gmx.de>) id 1Rrv2M-0000gu-Pn for ietf-http-wg@listhub.w3.org; Mon, 30 Jan 2012 17:29:02 +0000
Received: from mailout-de.gmx.net ([213.165.64.23]) by maggie.w3.org with smtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1Rrv2F-0002NX-H3 for ietf-http-wg@w3.org; Mon, 30 Jan 2012 17:29:02 +0000
Received: (qmail invoked by alias); 30 Jan 2012 17:28:27 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp035) with SMTP; 30 Jan 2012 18:28:27 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19lwGwoltRlxOmnqw29ciuhRQAybFo1Rl8BzoRMA5 Bz3GOqwPpUcLjh
Message-ID: <4F26D337.1020507@gmx.de>
Date: Mon, 30 Jan 2012 18:28:23 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <20120129152840.10536.93223.idtracker@ietfa.amsl.com> <4F2567DA.3060608@gmx.de> <visci75v85ndepsfib5qfpdqvsb84m8piu@hive.bjoern.hoehrmann.de>
In-Reply-To: <visci75v85ndepsfib5qfpdqvsb84m8piu@hive.bjoern.hoehrmann.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=213.165.64.23; envelope-from=julian.reschke@gmx.de; helo=mailout-de.gmx.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1Rrv2F-0002NX-H3 58f8042803a74c010a29eb1f1cd845ed
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt
Archived-At: <http://www.w3.org/mid/4F26D337.1020507@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/12263
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Rrv2a-0000nj-N5@frink.w3.org>
Resent-Date: Mon, 30 Jan 2012 17:29:16 +0000

On 2012-01-30 12:17, Bjoern Hoehrmann wrote:
> * Julian Reschke wrote:
>> <http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-04.html>;

Hi Björn,

thanks for the feedback; see 
<http://greenbytes.de/tech/webdav/draft-reschke-basicauth-enc-latest.html> 
for my work-in-progress.

> Well, "There is little interoperability for characters in the ISO-8859-1
> character set" the US-ASCII subset works reasonably well.

Noted and fixed.

> Don't repeat so much of / so literally the Abstract in the Introduction,
> it's confusing to read the duplicate.

I like it that way :-)

> I think you should mention "WWW-Authenticate" earlier than section 4,
> (something like "for use in headers like WWW-Authenticate" somewhere),
> otherwise it's easy to expect this is for `Authorization` (in part due

Done.

> to the name, `useUTF8` or `use-utf-8="yes" or some such would have been
> clearer).

That's another good suggestion; we're not going to allow any other 
encoding, so maybe making it a real flag is the best solution. What do 
others think?

> "For credentials sent by the user agent, the "encoding" parameter is
> reserved for future use and MUST NOT be sent." You can only reserve
> among options, and RFC 2617 does not allow `encoding` in credentials.
> This should simply say it does not apply to credentials.

That text is gone based on James' feedback.

> The following "The reason for this is" paragraph is confused, it should
> probably be an editor's note to be removed later, otherwise you would
> have to be much clearer what your idea for the parameter's content is,
> the main use case would seem to be recognizing whether the client did
> understand the request to use UTF-8, and that would seem useful enough.
>
>> With respect to intended status: in theory, this is a candidate for
>> Experimental. However, Basic Authentication (as defined in RFC 2617)
>> doesn't have a registry for extension parameters, so the cleanest
>> approach appears to say "Updates 2617", which IMHO requires a standards
>> track document.
>
> Updates 2617 sounds good to me; if there is any problem with that, we
> could make two specifications, one that updates 2617 and establishes a
> registry and then have your extension as experimental document.

Or we could revise RFC 2617's definition of "Basic" and move it into a 
separate document. Technically that would be the cleanest approach, but 
I fear that doing so would summon those who insist on a complete fix for 
all HTTP security issues.

Best regards, Julian