Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard

Barry Leiba <barryleiba@computer.org> Fri, 06 February 2015 16:42 UTC

Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03CAC1A6FCF; Fri, 6 Feb 2015 08:42:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3lXivMDTgP3E; Fri, 6 Feb 2015 08:41:58 -0800 (PST)
Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98E7D1A6FD5; Fri, 6 Feb 2015 08:41:58 -0800 (PST)
Received: by mail-qc0-f170.google.com with SMTP id p6so12727728qcv.1; Fri, 06 Feb 2015 08:41:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=+ovdfblj2QVDwYLSFJrQFLrEcHOQfzGHbl7FY+dPc7U=; b=T2j7Dcck09maykiTfJQqAds5sR8V0gsxpL90qvNyQXMkGCTKqlJ34Q2BSl1nbnG2wV EXZQequhE5Nr8w4sSYVdraw9nv1At2rkCIppfU4wbnfELrGMaCuKcVW+jVieV2FnJXha vPJcwP5d6xBNTnGcx3DoxVCBCuWedncmIhdryCGRNHF4Q8HNkb+BPbS2FxB2EyWtLnhS qKajwB1CZ0SE39eclGEoTDwpWS7srp5RG2L+QbC1fLs7AnbR1YkwEmCDwx6GcpLcn19C W9aHkNTjLebgY+RXYxBeYIK3lvo0v9XqCJKOoXgWM4wW+spNp5+LTg69/UGGsV3nKQBB +T+Q==
MIME-Version: 1.0
X-Received: by 10.224.30.145 with SMTP id u17mr10069843qac.46.1423240917749; Fri, 06 Feb 2015 08:41:57 -0800 (PST)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.140.39.163 with HTTP; Fri, 6 Feb 2015 08:41:57 -0800 (PST)
In-Reply-To: <q4s8daho8nhkvk4albujtlclb5go1tpn9v@hive.bjoern.hoehrmann.de>
References: <20150205161049.4222.88369.idtracker@ietfa.amsl.com> <kdr7da51k6t581cdppljqvdnf6401cjb4o@hive.bjoern.hoehrmann.de> <54D462A6.1030709@gmx.de> <q4s8daho8nhkvk4albujtlclb5go1tpn9v@hive.bjoern.hoehrmann.de>
Date: Fri, 6 Feb 2015 11:41:57 -0500
X-Google-Sender-Auth: nHQ4Rz27_DEqnsZGPNUPZ4dwV_8
Message-ID: <CAC4RtVArUYjYkwvkzVSLe4za2zgXK4_Uh+GP=--vR+AD5U622A@mail.gmail.com>
Subject: Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard
From: Barry Leiba <barryleiba@computer.org>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/x2zli1ETffQvF9WTh4BFAMomkRA>
Cc: Julian Reschke <julian.reschke@gmx.de>, http-auth@ietf.org, IETF discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2015 16:42:00 -0000

On the "obfuscation" point:

>>> I do not think the use of Base64 is intended as obfuscation and it seems
>>> misleading to me to describe it as such. (The Introduction has the same
>>> problem).
>>
>>I think it was.
>
> I would take it to mean, in this context, "make difficult to decode",
> while it's more likely used to "deal with special characters". In any
> case, if the idea is to note that Base64 is easily reversible, say that
> instead of "obfuscated".

Obfuscation doesn't have to be hard to decode.  The point is that one
reason base64 was used was to make it so usernames and passwords don't
appear clearly in datastreams and log files.  If you know where to
find them, they're trivial to decode, of course.  But you can't just
scan the data and say, "Ah, look, there's a username and password."

Barry