ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard

2015-02-06 01:59:05
from [Bjoern Hoehrmann] [Permanent Link] 
* Julian Reschke wrote:

On 2015-02-05 23:49, Bjoern Hoehrmann wrote:

* The IESG wrote:

Abstract

   This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
   Authentication Scheme, which transmits credentials as userid/password
   pairs, obfuscated by the use of Base64 encoding.


I do not think the use of Base64 is intended as obfuscation and it seems
misleading to me to describe it as such. (The Introduction has the same
problem).


I think it was.


I would take it to mean, in this context, "make difficult to decode",
while it's more likely used to "deal with special characters". In any
case, if the idea is to note that Base64 is easily reversible, say that
instead of "obfuscated".


In the Introduction:

    The "Basic" scheme previously was defined in Section 2 of [RFC2617].
    This document updates the definition, and also addresses
    internationalization issues by introducing the "charset"
    authentication parameter (Section 2.1).

I think "updates" is the wrong word considering the document is intended
to "obsolete" RFC 2617.


It does update the definition, no? Also: "Other documents updating RFC 
2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication" 
([RFC7235], defining the authentication framework) and "HTTP Digest 
Access Authentication" ([DIGEST], updating the definition of the 
'"Digest" authentication scheme). Taken together, these three documents 
obsolete RFC 2617."


A better word would be "replaces".


That is true.


    The original definition of this authentication scheme failed to
    specify the character encoding scheme used to convert the user-pass
    into an octet sequence.

I think it would be more appropriate to say that it did not do so. That
wasn't a particular "failure", sending unlabeled 8bit (and 7bit) content
was normal at the time, in part because other system parts also did not
know or care about character encodings.


It's a defect in that specification, no matter when it was written.


Regardless, I think "did not" would be better than "failed to".
-- 
Björn Höhrmann · mailto:bjoern(_at_)hoehrmann(_dot_)de · 
http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard, Julian Reschke
Next by Date:  Re: Naive question on multiple TCP/IP channels and please dont start a uS NN debate here unless you really want to., Jim Gettys
Previous by Thread:  Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard, Julian Reschke
Next by Thread:  Re: [http-auth] Last Call: <draft-ietf-httpauth-basicauth-update-05.txt> (The 'Basic' HTTP Authentication Scheme) to Proposed Standard, Barry Leiba
Indexes:  [Date] [Thread] [Top] [All Lists]