Re: WGLC p7: Parsing auth challenges
Mark Nottingham <mnot@mnot.net> Tue, 30 April 2013 02:41 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2626621F9A97 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 19:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.909
X-Spam-Level:
X-Spam-Status: No, score=-9.909 tagged_above=-999 required=5 tests=[AWL=0.690, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JNl9uoAgS3-g for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 19:41:10 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 638CC21F9C20 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 29 Apr 2013 19:41:03 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UX0Ug-0002ZB-3v for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 02:40:38 +0000
Resent-Date: Tue, 30 Apr 2013 02:40:38 +0000
Resent-Message-Id: <E1UX0Ug-0002ZB-3v@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UX0UX-0002XH-DX for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 02:40:29 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UX0UW-0007bt-HR for ietf-http-wg@w3.org; Tue, 30 Apr 2013 02:40:29 +0000
Received: from mnot-mini.mnot.net (unknown [118.209.190.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 6EB12509B5; Mon, 29 Apr 2013 22:40:04 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <8F6FB0A1-4D7E-4847-92A7-14B240FAC23A@niven-jenkins.co.uk>
Date: Tue, 30 Apr 2013 12:40:01 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A1F89236-7F9B-417C-86DF-47D6CD4DCC34@mnot.net>
References: <8F6FB0A1-4D7E-4847-92A7-14B240FAC23A@niven-jenkins.co.uk>
To: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=216.86.168.183; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-3.351, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UX0UW-0007bt-HR 62a50a06cd221a312a4d2d5bf6e48f97
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WGLC p7: Parsing auth challenges
Archived-At: <http://www.w3.org/mid/A1F89236-7F9B-417C-86DF-47D6CD4DCC34@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17702
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Ben, I think you have it right, so have created an editorial ticket: http://trac.tools.ietf.org/wg/httpbis/trac/ticket/474 If the editors have a problem with it, they can come back and talk to us. Cheers, On 30/04/2013, at 4:55 AM, Ben Niven-Jenkins <ben@niven-jenkins.co.uk> wrote: > Hi, > > In sections 2.1 & 4.4 (and by reference 4.2) of p7 User Agents are guided to take "special care" when parsing WWW-Authenticate and/or Proxy-Authenticate header field values, but it is never plainly stated what that means. > > From the grammar, it looks as if the critical distinction is that (ignoring any allowed whitespace for brevity): > > A sequence "," token "=" means we are now receiving a parameter to an existing challenge. This is guaranteed because the "=" and value are non-optional components of auth-param. (The grammar would be unresolvably ambiguous otherwise.) > > A sequence "," token and anything other than "=" means we are now receiving the start of a new challenge. This is guaranteed because token68 may not contain "," and token (for a following auth-param) may not be empty. (The grammar would be unresolvably ambiguous otherwise.) > > (And if we don't get something, after whitespace elimination, which is either the end of the header field value or a token after the ",", then the value is invalid and should be rejected.) > > If that interpretation is correct, it would be helpful to state this clearly, rather than merely infer it. (And if that interpretation is not correct, clearly relying on inference alone is unreliable!) > > There is perhaps still the question of whether in the face of multiple WWW/Proxy-Authenticate headers, the implied "," separating their values according to #rule is still allowed to operate at both levels of the grammar, or only at the outermost (#challenge) level. > > Thanks > Ben > > -- Mark Nottingham http://www.mnot.net/
- WGLC p7: Parsing auth challenges Ben Niven-Jenkins
- Re: WGLC p7: Parsing auth challenges Mark Nottingham
- Re: WGLC p7: Parsing auth challenges Julian Reschke
- Re: WGLC p7: Parsing auth challenges John Sullivan
- Re: WGLC p7: Parsing auth challenges Julian Reschke
- #474, was: WGLC p7: Parsing auth challenges Julian Reschke