Re: ignoring unknown parameters, Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard

Bjoern Hoehrmann <derhoermi@gmx.net> Tue, 10 February 2015 21:00 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA8F1A1BFB; Tue, 10 Feb 2015 13:00:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vmF2bxfkBw2V; Tue, 10 Feb 2015 13:00:48 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21C1D1A1BEA; Tue, 10 Feb 2015 13:00:47 -0800 (PST)
Received: from netb ([89.204.130.198]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MOfQw-1YHQZJ1BKQ-0063OG; Tue, 10 Feb 2015 22:00:44 +0100
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Julian Reschke <julian.reschke@greenbytes.de>
Subject: Re: ignoring unknown parameters, Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard
Date: Tue, 10 Feb 2015 22:00:44 +0100
Message-ID: <i1pkda9mps39mej5qerb9vllngh5mvgalg@hive.bjoern.hoehrmann.de>
References: <20150205161049.4222.88369.idtracker@ietfa.amsl.com> <kdr7da51k6t581cdppljqvdnf6401cjb4o@hive.bjoern.hoehrmann.de> <54D462A6.1030709@gmx.de> <54DA4225.1020900@greenbytes.de>
In-Reply-To: <54DA4225.1020900@greenbytes.de>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:JeuXAWo+yv1Dgodg9Y2ImnZsq7+DBjdGCG69tEa8q2dZTFXjIAU jFqlYIpKPvhSBZ4xXvmk1pf9ydtOeE4FwHcfDR1en271yB3mbZOLknRErhJiQsQdYsf3MZy IfcX7U1wlZSo0nSrcB6d7u/strJcQhsMi68O4AiYgeIevdydBmunxLLjKgKPBY7A89GnXfx FXNRBApqj+NKq11wcLeFw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/1jDqxGCsGvRnM2fGmU5fb8CYulI>
Cc: http-auth@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 21:00:51 -0000

* Julian Reschke wrote:
>On 2015-02-06 07:43, Julian Reschke wrote:
>> ...
>>> There should be an example for "no other authentication parameters are
>>> defined -- unknown parameters MUST be ignored by recipients", otherwise
>>> such extension points are too easily missed by implementers.
>>
>> <http://greenbytes.de/tech/tc/httpauth/#simplebasicnewparam2> shows that
>> UAs seem to get at least this correct. I'll think about it.
>
>OK. In my tests I don't see anybody getting *that* wrong, and the new 
>text already is much clearer than RFC 2617 ever was.
>
>Thus I don't think we need an example here. Also note that the real 
>challenge (pun intended) is to parse multiple challenges properly; this 
>is something many UAs *do* get wrong despite the prose in both RFC 2617 
>and RFC 7235.

You cannot really test future implementations. I will survive without an
example, but I think it is a bad practise to omit examples demonstrating
extension mechanisms like this one.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/