Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt

Julian Reschke <> Mon, 30 January 2012 17:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D57D21F86AA for <>; Mon, 30 Jan 2012 09:30:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.993
X-Spam-Status: No, score=-7.993 tagged_above=-999 required=5 tests=[AWL=2.606, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Q4SBxvWOGhGH for <>; Mon, 30 Jan 2012 09:30:44 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BD15D21F867F for <>; Mon, 30 Jan 2012 09:30:44 -0800 (PST)
Received: from lists by with local (Exim 4.69) (envelope-from <>) id 1Rrv2a-0000nj-N5 for; Mon, 30 Jan 2012 17:29:16 +0000
Received: from ([]) by with esmtp (Exim 4.69) (envelope-from <>) id 1Rrv2M-0000gu-Pn for; Mon, 30 Jan 2012 17:29:02 +0000
Received: from ([]) by with smtp (Exim 4.72) (envelope-from <>) id 1Rrv2F-0002NX-H3 for; Mon, 30 Jan 2012 17:29:02 +0000
Received: (qmail invoked by alias); 30 Jan 2012 17:28:27 -0000
Received: from (EHLO []) [] by (mp035) with SMTP; 30 Jan 2012 18:28:27 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19lwGwoltRlxOmnqw29ciuhRQAybFo1Rl8BzoRMA5 Bz3GOqwPpUcLjh
Message-ID: <>
Date: Mon, 30 Jan 2012 18:28:23 +0100
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Bjoern Hoehrmann <>
CC: HTTP Working Group <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1Rrv2F-0002NX-H3 58f8042803a74c010a29eb1f1cd845ed
Subject: Re: Informal Last Call for draft-reschke-basicauth-enc-04, was: Fwd: I-D Action: draft-reschke-basicauth-enc-04.txt
Archived-At: <>
X-Mailing-List: <> archive/latest/12263
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>
Resent-Message-Id: <>
Resent-Date: Mon, 30 Jan 2012 17:29:16 +0000

On 2012-01-30 12:17, Bjoern Hoehrmann wrote:
> * Julian Reschke wrote:
>> <>;

Hi Björn,

thanks for the feedback; see 
for my work-in-progress.

> Well, "There is little interoperability for characters in the ISO-8859-1
> character set" the US-ASCII subset works reasonably well.

Noted and fixed.

> Don't repeat so much of / so literally the Abstract in the Introduction,
> it's confusing to read the duplicate.

I like it that way :-)

> I think you should mention "WWW-Authenticate" earlier than section 4,
> (something like "for use in headers like WWW-Authenticate" somewhere),
> otherwise it's easy to expect this is for `Authorization` (in part due


> to the name, `useUTF8` or `use-utf-8="yes" or some such would have been
> clearer).

That's another good suggestion; we're not going to allow any other 
encoding, so maybe making it a real flag is the best solution. What do 
others think?

> "For credentials sent by the user agent, the "encoding" parameter is
> reserved for future use and MUST NOT be sent." You can only reserve
> among options, and RFC 2617 does not allow `encoding` in credentials.
> This should simply say it does not apply to credentials.

That text is gone based on James' feedback.

> The following "The reason for this is" paragraph is confused, it should
> probably be an editor's note to be removed later, otherwise you would
> have to be much clearer what your idea for the parameter's content is,
> the main use case would seem to be recognizing whether the client did
> understand the request to use UTF-8, and that would seem useful enough.
>> With respect to intended status: in theory, this is a candidate for
>> Experimental. However, Basic Authentication (as defined in RFC 2617)
>> doesn't have a registry for extension parameters, so the cleanest
>> approach appears to say "Updates 2617", which IMHO requires a standards
>> track document.
> Updates 2617 sounds good to me; if there is any problem with that, we
> could make two specifications, one that updates 2617 and establishes a
> registry and then have your extension as experimental document.

Or we could revise RFC 2617's definition of "Basic" and move it into a 
separate document. Technically that would be the cleanest approach, but 
I fear that doing so would summon those who insist on a complete fix for 
all HTTP security issues.

Best regards, Julian