Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard

Bjoern Hoehrmann <derhoermi@gmx.net> Fri, 06 February 2015 07:58 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACEEB1A1A4B; Thu, 5 Feb 2015 23:58:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iWizcNACli-c; Thu, 5 Feb 2015 23:58:41 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4CEF1A017C; Thu, 5 Feb 2015 23:58:40 -0800 (PST)
Received: from netb ([89.204.135.27]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0M0tr1-1XUqXL0mw3-00v88Y; Fri, 06 Feb 2015 08:58:39 +0100
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Julian Reschke <julian.reschke@gmx.de>
Subject: Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard
Date: Fri, 06 Feb 2015 08:58:37 +0100
Message-ID: <q4s8daho8nhkvk4albujtlclb5go1tpn9v@hive.bjoern.hoehrmann.de>
References: <20150205161049.4222.88369.idtracker@ietfa.amsl.com> <kdr7da51k6t581cdppljqvdnf6401cjb4o@hive.bjoern.hoehrmann.de> <54D462A6.1030709@gmx.de>
In-Reply-To: <54D462A6.1030709@gmx.de>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:DBmHZBLJJxMyzyfibu1ex7RZKbumZzq7VDqNUWEzYZGRlliXVY0 6v57+eSE7KuqwIfjJJOc11G5sQuh4UyDVItStwZM7J4q5k0O6TSTKeEIttNkgaIsKvStt0W welIkbbmXK+5YEDzPF9atmUXhWRnsE1SCrfPZ1pIxXi7hqd3kuy+iLIWeWO58jr6yMg+hpL HGPVIiUKh8R7GMl+IOZ4w==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/dPnfl9GJEahE-XMUPRdJ2fx2Nb4>
Cc: http-auth@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2015 07:58:42 -0000

* Julian Reschke wrote:
>On 2015-02-05 23:49, Bjoern Hoehrmann wrote:
>> * The IESG wrote:
>>> Abstract
>>>
>>>    This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
>>>    Authentication Scheme, which transmits credentials as userid/password
>>>    pairs, obfuscated by the use of Base64 encoding.
>>
>> I do not think the use of Base64 is intended as obfuscation and it seems
>> misleading to me to describe it as such. (The Introduction has the same
>> problem).
>
>I think it was.

I would take it to mean, in this context, "make difficult to decode",
while it's more likely used to "deal with special characters". In any
case, if the idea is to note that Base64 is easily reversible, say that
instead of "obfuscated".

>> In the Introduction:
>>
>>     The "Basic" scheme previously was defined in Section 2 of [RFC2617].
>>     This document updates the definition, and also addresses
>>     internationalization issues by introducing the "charset"
>>     authentication parameter (Section 2.1).
>>
>> I think "updates" is the wrong word considering the document is intended
>> to "obsolete" RFC 2617.
>
>It does update the definition, no? Also: "Other documents updating RFC 
>2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication" 
>([RFC7235], defining the authentication framework) and "HTTP Digest 
>Access Authentication" ([DIGEST], updating the definition of the 
>'"Digest" authentication scheme). Taken together, these three documents 
>obsolete RFC 2617."

A better word would be "replaces".

>That is true.
>
>>     The original definition of this authentication scheme failed to
>>     specify the character encoding scheme used to convert the user-pass
>>     into an octet sequence.
>>
>> I think it would be more appropriate to say that it did not do so. That
>> wasn't a particular "failure", sending unlabeled 8bit (and 7bit) content
>> was normal at the time, in part because other system parts also did not
>> know or care about character encodings.
>
>It's a defect in that specification, no matter when it was written.

Regardless, I think "did not" would be better than "failed to".
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/