Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard

Tony Hansen <tony@att.com> Tue, 10 February 2015 19:57 UTC

Return-Path: <tony@att.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4671A1F73; Tue, 10 Feb 2015 11:57:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYu6FDUoSe_u; Tue, 10 Feb 2015 11:57:30 -0800 (PST)
Received: from nbfkord-smmo05.seg.att.com (nbfkord-smmo05.seg.att.com [209.65.160.92]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39C401A1BB1; Tue, 10 Feb 2015 11:57:30 -0800 (PST)
Received: from unknown [144.160.229.23] (EHLO alpi154.enaf.aldc.att.com) by nbfkord-smmo05.seg.att.com(mxl_mta-7.2.4-2) over TLS secured channel with ESMTP id 7a26ad45.0.2209627.00-2308.6115235.nbfkord-smmo05.seg.att.com (envelope-from <tony@att.com>); Tue, 10 Feb 2015 19:57:30 +0000 (UTC)
X-MXL-Hash: 54da62aa03d87b91-55ee1c3a637a4640ed5101984938eba3a36fabee
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1AJvQ19028257; Tue, 10 Feb 2015 14:57:27 -0500
Received: from alpi131.aldc.att.com (alpi131.aldc.att.com [130.8.218.69]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1AJvMio028192 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 10 Feb 2015 14:57:24 -0500
Received: from alpi153.aldc.att.com (alpi153.aldc.att.com [130.8.42.31]) by alpi131.aldc.att.com (RSA Interceptor); Tue, 10 Feb 2015 19:57:10 GMT
Received: from aldc.att.com (localhost [127.0.0.1]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1AJvAWO015760; Tue, 10 Feb 2015 14:57:10 -0500
Received: from mailgw1.maillennium.att.com (maillennium.att.com [135.25.114.99]) by alpi153.aldc.att.com (8.14.5/8.14.5) with ESMTP id t1AJv4Pk015339; Tue, 10 Feb 2015 14:57:04 -0500
Received: from azcdtl01sb226e.itservices.sbc.com (azcdtl01sb226e.itservices.sbc.com?[135.110.240.193](misconfigured sender)) by maillennium.att.com (mailgw1) with ESMTP id <20150210195703gw1000ce9ce>; Tue, 10 Feb 2015 19:57:04 +0000
X-Originating-IP: [135.110.240.193]
Message-ID: <54DA628E.6030702@att.com>
Date: Tue, 10 Feb 2015 14:57:02 -0500
From: Tony Hansen <tony@att.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard
References: <20150205161049.4222.88369.idtracker@ietfa.amsl.com> <kdr7da51k6t581cdppljqvdnf6401cjb4o@hive.bjoern.hoehrmann.de> <54D462A6.1030709@gmx.de>
In-Reply-To: <54D462A6.1030709@gmx.de>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-AnalysisOut: [v=2.0 cv=P56NcF8u c=1 sm=1 a=VXHOiMMwGAwA+y4G3/O+aw==:17 a]
X-AnalysisOut: [=mJp9S24oyUUA:10 a=6IHl18L4XdkA:10 a=BLceEmwcHowA:10 a=N65]
X-AnalysisOut: [9UExz7-8A:10 a=zQP7CpKOAAAA:8 a=0HtSIViG9nkA:10 a=mmkSN6yK]
X-AnalysisOut: [1PjdJZjVvoMA:9 a=pILNOxqGKmIA:10]
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2014051901)]
X-MAIL-FROM: <tony@att.com>
X-SOURCE-IP: [144.160.229.23]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/Y6CZUKgAA8-ORFiWs8pEoOToMdw>
Cc: http-auth@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 19:57:32 -0000

On 2/6/15 1:43 AM, Julian Reschke wrote:
> On 2015-02-05 23:49, Bjoern Hoehrmann wrote:
>> * The IESG wrote:
>>> Abstract
>>>
>>>    This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
>>>    Authentication Scheme, which transmits credentials as 
>>> userid/password
>>>    pairs, obfuscated by the use of Base64 encoding.
>>
>> I do not think the use of Base64 is intended as obfuscation and it seems
>> misleading to me to describe it as such. (The Introduction has the same
>> problem).
>
> I think it was.

I thought the primary reason was so that the credentials would be able 
to contain arbitrary characters, potentially not otherwise representable 
within the surrounding protocol. It's an encoding scheme, not an 
obfuscation scheme.

     Tony Hansen