draft-ietf-httpauth-basicauth-update-00.txt   draft-ietf-httpauth-basicauth-update-01.txt 
HTTPAuth Working Group J. Reschke HTTPAuth Working Group J. Reschke
Internet-Draft greenbytes Internet-Draft greenbytes
Updates: 2617 (if approved) September 13, 2013 Obsoletes: 2617 (if approved) July 4, 2014
Intended status: Standards Track Intended status: Standards Track
Expires: March 17, 2014 Expires: January 5, 2015
The 'Basic' HTTP Authentication Scheme The 'Basic' HTTP Authentication Scheme
draft-ietf-httpauth-basicauth-update-00 draft-ietf-httpauth-basicauth-update-01
Abstract Abstract
This document defines the "Basic" Hypertext Transfer Protocol (HTTP) This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
Authentication Scheme. Authentication Scheme, which transmits credentials as userid/password
pairs, obfuscated by the use of Base64 encoding.
Editorial Note (To be removed by RFC Editor before publication) Editorial Note (To be removed by RFC Editor before publication)
Discussion of this draft takes place on the HTTPAuth working group Discussion of this draft takes place on the HTTPAuth working group
mailing list (http-auth@ietf.org), which is archived at <http:// mailing list (http-auth@ietf.org), which is archived at <http://
www.ietf.org/mail-archive/web/http-auth/current/maillist.html>. www.ietf.org/mail-archive/web/http-auth/current/maillist.html>.
XML versions, latest edits and the issues list for this document are XML versions, latest edits and the issues list for this document are
available from <http://greenbytes.de/tech/ available from <http://greenbytes.de/tech/
webdav/#draft-ietf-httpauth-basicauth-update>. webdav/#draft-ietf-httpauth-basicauth-update>.
The changes in this draft are summarized in Appendix A.1. The changes in this draft are summarized in Appendix C.2.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 17, 2014. This Internet-Draft will expire on January 5, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 29 skipping to change at page 3, line 7
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4
3. The 'Basic' Authentication Scheme . . . . . . . . . . . . . . . 3 1.1.1. Syntax Notation . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 2. The 'Basic' Authentication Scheme . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 2.1. The 'charset' auth-param . . . . . . . . . . . . . . . . . 6
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Re-using Credentials . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Internationalization Considerations . . . . . . . . . . . . . 7
7.1. Normative References . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
Appendix A. Change Log (to be removed by RFC Editor before 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
publication) . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
A.1. Since RFC 2617 . . . . . . . . . . . . . . . . . . . . . . 7 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10
Appendix B. Open issues (to be removed by RFC Editor prior to 7.2. Informative References . . . . . . . . . . . . . . . . . . 10
publication) . . . . . . . . . . . . . . . . . . . . . 7 Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . . 11
B.1. edit . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Appendix B. Deployment Considerations for the 'charset'
B.2. upd . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Parameter . . . . . . . . . . . . . . . . . . . . . . 11
B.3. enc . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 B.1. User Agents . . . . . . . . . . . . . . . . . . . . . . . 11
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 B.2. Origin Servers . . . . . . . . . . . . . . . . . . . . . . 11
B.3. Why not simply switch the default encoding to UTF-8? . . . 12
Appendix C. Change Log (to be removed by RFC Editor before
publication) . . . . . . . . . . . . . . . . . . . . 12
C.1. Since RFC 2617 . . . . . . . . . . . . . . . . . . . . . . 12
C.2. Since draft-ietf-httpauth-basicauth-update-00 . . . . . . 12
Appendix D. Open issues (to be removed by RFC Editor prior to
publication) . . . . . . . . . . . . . . . . . . . . 13
D.1. colon . . . . . . . . . . . . . . . . . . . . . . . . . . 13
D.2. depth . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document defines the "Basic" Hypertext Transfer Protocol (HTTP) This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
Authentication Scheme ([draft-ietf-httpbis-p7-auth]). This scheme is Authentication Scheme ([RFC7235]), which transmits credentials as
not considered to be a secure method of user authentication unless userid/password pairs, obfuscated by the use of Base64 encoding.
used in conjunction with some external secure system such as TLS
(Transport Layer Security, [RFC5246]), as the user name and password This scheme is not considered to be a secure method of user
are passed over the network as cleartext. authentication unless used in conjunction with some external secure
system such as TLS (Transport Layer Security, [RFC5246]), as the user
name and password are passed over the network as cleartext.
The "Basic" scheme previously was defined in Section 2 of [RFC2617]. The "Basic" scheme previously was defined in Section 2 of [RFC2617].
This document updates the definition, and also addresses This document updates the definition, and also addresses
internationalization issues. internationalization issues by introducing the "charset"
authentication parameter (Section 2.1).
Other documents updating RFC 2617 are "Hypertext Transfer Protocol Other documents updating RFC 2617 are "Hypertext Transfer Protocol
(HTTP/1.1): Authentication" ([draft-ietf-httpbis-p7-auth], defining (HTTP/1.1): Authentication" ([RFC7235], defining the authentication
the authentication framework) and "HTTP Digest Update" framework) and "HTTP Digest Access Authentication" ([DIGEST],
([draft-ietf-httpauth-digest-update], updating the definition of the updating the definition of the '"Digest" authentication scheme).
'"Digest" authentication scheme). Taken together, these three documents obsolete RFC 2617.
2. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. The 'Basic' Authentication Scheme 1.1.1. Syntax Notation
The "basic" authentication scheme is based on the model that the This specification uses the Augmented Backus-Naur Form (ABNF)
client must authenticate itself with a user-ID and a password for notation of [RFC5234].
each realm. The realm value should be considered an opaque string
The terms protection space and realm are defined in Section 2.2 of
[RFC7235].
The terms (character) repertoire and character encoding scheme are
defined in Section 2 of [RFC6365].
2. The 'Basic' Authentication Scheme
The "Basic" authentication scheme is based on the model that the
client needs to authenticate itself with a user-ID and a password for
each protection space ("realm"). The realm value is an opaque string
which can only be compared for equality with other realms on that which can only be compared for equality with other realms on that
server. The server will service the request only if it can validate server. The server will service the request only if it can validate
the user-ID and password for the protection space of the Request-URI. the user-ID and password for the protection space applying to the
There are no optional authentication parameters. requested resource.
For Basic, the framework above is utilized as follows: The "Basic" authentication scheme utilizes the Authentication
Framework as follows:
challenge = "Basic" realm In challenges:
credentials = "Basic" basic-credentials
Upon receipt of an unauthorized request for a URI within the o the scheme name is "Basic"
protection space, the origin server MAY respond with a challenge like
the following: o the authentication parameter "realm" is REQUIRED ([RFC7235],
Section 2.2)
o the authentication parameter "charset" is OPTIONAL (see
Section 2.1)
o no other authentication parameters are defined -- unknown
parameters MUST be ignored by recipients, and new parameters can
only be defined by revising this specification
Note that both scheme and parameter names are matched case-
insensitively.
For credentials, the "token-68" syntax defined in Section 2.2 of
[RFC7235] is used. The value is computed based on user-id and
password as defined below.
Upon receipt of a request for a URI within the protection space that
lacks credentials, the server can reply with a challenge using the
401 (Unauthorized) status code ([RFC7235], Section 3.1) and the WWW-
Authenticate header field ([RFC7235], Section 4.1).
For instance:
HTTP/1.1 401 Unauthorized
Date: Mon, 04 Feb 2014 16:50:53 GMT
WWW-Authenticate: Basic realm="WallyWorld" WWW-Authenticate: Basic realm="WallyWorld"
where "WallyWorld" is the string assigned by the server to identify ...where "WallyWorld" is the string assigned by the server to
the protection space of the Request-URI. A proxy may respond with identify the protection space.
the same challenge using the Proxy-Authenticate header field.
A proxy can respond with a similar challenge using the 407 (Proxy
Authentication Required) status code ([RFC7235], Section 3.2) and the
Proxy-Authenticate header field ([RFC7235], Section 4.3).
To receive authorization, the client sends the userid and password, To receive authorization, the client sends the userid and password,
separated by a single colon (":") character, within a base64 separated by a single colon (":") character, within a base64 encoded
[RFC2396] encoded string in the credentials. string as the credentials value ([RFC4648], Section 4).
basic-credentials = base64-user-pass basic-credentials = base64-user-pass
base64-user-pass = <base64 [RFC2045] encoding of user-pass, base64-user-pass = <base64 encoded user-pass>
except not limited to 76 char/line> ; [RFC4648] encoding of user-pass,
user-pass = userid ":" password ; except not limited to 76 char/line
userid = *<TEXT excluding ":">
password = *TEXT
Userids might be case sensitive. user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
In this definition, userid and password represent sequences of
octets, not characters. The original definition of this
authentication scheme did not define which character encoding scheme
is used to convert from characters (such as obtained from a user
interface), resulting in interoperability problems for all characters
outside the US-ASCII character repertoire ([USASCII]). Section 2.1
defines a new authentication parameter that can be used by servers to
indicate the encoding scheme they expect to be used.
If the user agent wishes to send the userid "Aladdin" and password If the user agent wishes to send the userid "Aladdin" and password
"open sesame", it would use the following header field: "open sesame", it would use the following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
2.1. The 'charset' auth-param
In challenges, servers can use the "charset" authentication parameter
to indicate the character encoding scheme they expect the user agent
to use when generating "user-pass" (a sequence of octets). This
information is purely advisory.
The only allowed value is "UTF-8", to be matched case-insensitively
(see [RFC2978], Section 2.3). It indicates that the server expects
character data to be converted to Unicode Normalization Form C
("NFC", see Section 3 of [RFC5198]) and to be encoded into octets
using the UTF-8 character encoding scheme ([RFC3629]).
Other values are reserved for future use.
Note: The 'charset' is only defined on challenges, as "Basic" uses
a single token for credentials ('token68' syntax), thus the
credentials syntax isn't extensible.
Note: The name 'charset' has been chosen for consistency with
Section 2.1.1 of [RFC2831]. A better name would have been
'accept-charset', as it is not about the message it appears in,
but the server's expectation.
In the example below, the server prompts for authentication in the
"foo" realm, using Basic authentication, with a preference for the
UTF-8 character encoding scheme:
WWW-Authenticate: Basic realm="foo", charset="UTF-8"
Note that the parameter value can be either a token or a quoted
string; in this case the server chose to use the quoted-string
notation.
The user's name is "test", and the password is the string "123"
followed by the Unicode character U+00A3 (POUND SIGN). Using the
character encoding scheme UTF-8, the user-pass becomes:
't' 'e' 's' 't' ':' '1' '2' '3' pound
74 65 73 74 3A 31 32 33 C2 A3
Encoding this octet sequence in Base64 ([RFC4648], Section 4) yields:
dGVzdDoxMjPCow==
Thus the Authorization header field would be:
Authorization: Basic dGVzdDoxMjPCow==
Or, for proxy authentication:
Proxy-Authorization: Basic dGVzdDoxMjPCow==
2.2. Re-using Credentials
A client SHOULD assume that all paths at or deeper than the depth of A client SHOULD assume that all paths at or deeper than the depth of
the last symbolic element in the path field of the Request-URI also the last symbolic element in the path field of the Request-URI also
are within the protection space specified by the Basic realm value of are within the protection space specified by the realm value of the
the current challenge. A client MAY preemptively send the current challenge.
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server. A client MAY preemptively send the corresponding Authorization header
Similarly, when a client sends a request to a proxy, it may reuse a field with requests for resources in that space without receipt of
userid and password in the Proxy-Authorization header field without another challenge from the server. Similarly, when a client sends a
receiving another challenge from the proxy server. See Section 4 for request to a proxy, it may reuse a userid and password in the Proxy-
security considerations associated with Basic authentication. Authorization header field without receiving another challenge from
the proxy server.
3. Internationalization Considerations
User names or passwords containing characters outside the US-ASCII
character repertoire will cause interoperability issues, unless both
communication partners agree on what character encoding scheme is to
be used. Senders can use the new 'charset' parameter (Section 2.1)
to indicate a preference of "UTF-8", increasing the probability that
clients will switch to that encoding.
The "realm" parameter carries data that can be considered textual,
however [RFC7235] does not define a way to reliably transport non-US-
ASCII characters. This is a known issue that would need to be
addressed in that specification.
4. Security Considerations 4. Security Considerations
The Basic authentication scheme is not a secure method of user The Basic authentication scheme is not a secure method of user
authentication, nor does it in any way protect the entity, which is authentication, nor does it in any way protect the entity, which is
transmitted in cleartext across the physical network used as the transmitted in cleartext across the physical network used as the
carrier. HTTP does not prevent the addition of enhancements (such as carrier. HTTP does not prevent the addition of enhancements (such as
schemes to use one-time passwords) to Basic authentication. schemes to use one-time passwords) to Basic authentication.
The most serious flaw in Basic authentication is that it results in The most serious flaw in Basic authentication is that it results in
skipping to change at page 5, line 40 skipping to change at page 9, line 17
attacker can request a password, store it for later use, and feign an attacker can request a password, store it for later use, and feign an
error. This type of attack is not possible with Digest error. This type of attack is not possible with Digest
Authentication. Server implementers SHOULD guard against the Authentication. Server implementers SHOULD guard against the
possibility of this sort of counterfeiting by gateways or CGI possibility of this sort of counterfeiting by gateways or CGI
scripts. In particular it is very dangerous for a server to simply scripts. In particular it is very dangerous for a server to simply
turn over a connection to a gateway. That gateway can then use the turn over a connection to a gateway. That gateway can then use the
persistent connection mechanism to engage in multiple transactions persistent connection mechanism to engage in multiple transactions
with the client while impersonating the original server in a way that with the client while impersonating the original server in a way that
is not detectable by the client. is not detectable by the client.
The use of the UTF-8 character encoding scheme introduces additional
security considerations; see Section 10 of [RFC3629] for more
information.
5. IANA Considerations 5. IANA Considerations
IANA maintains the registry of HTTP Authentication Schemes IANA maintains the registry of HTTP Authentication Schemes
([draft-ietf-httpbis-p7-auth]) at ([RFC7235]) at <http://www.iana.org/assignments/http-authschemes>.
<http://www.iana.org/assignments/http-authschemes>.
The entry for the "Basic" Authentication Scheme shall be updated with The entry for the "Basic" Authentication Scheme shall be updated with
a pointer to this specification. a pointer to this specification.
6. Acknowledgements 6. Acknowledgements
This specification takes over the definition of the "Basic" HTTP This specification takes over the definition of the "Basic" HTTP
Authentication Scheme, previously defined in RFC 2617. We thank John Authentication Scheme, previously defined in RFC 2617. We thank John
Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D.
Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for
their work on that specification, from which significant amounts of their work on that specification, from which significant amounts of
text was borrowed. See Section 6 of [RFC2617] for further text were borrowed. See Section 6 of [RFC2617] for further
acknowledgements. acknowledgements.
7. References The internationalization problem with respect to the character
encoding scheme used for user-pass has been reported as a Mozilla bug
back in the year 2000 (see
<https://bugzilla.mozilla.org/show_bug.cgi?id=41489> and also the
more recent <https://bugzilla.mozilla.org/show_bug.cgi?id=656213>).
It was Andrew Clover's idea to address it using a new auth-param.
We also thank the members of the HTTPAuth Working Group, namely
Stephen Farrell, Bjoern Hoehrmann, Amos Jeffries, James Manger, Yaron
Sheffer, Michael Sweet, and Martin Thomson for feedback on this
revision.
7. References
7.1. Normative References 7.1. Normative References
[RFC2045] Freed, N. and N. Borenstein, [DIGEST] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP
"Multipurpose Internet Mail Digest Access Authentication",
Extensions (MIME) Part One: draft-ietf-httpauth-digest-07 (work in progress),
Format of Internet Message April 2014.
Bodies", RFC 2045,
November 1996.
[RFC2119] Bradner, S., "Key words for use [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
in RFCs to Indicate Requirement Requirement Levels", BCP 14, RFC 2119, March 1997.
Levels", BCP 14, RFC 2119,
March 1997.
[RFC2396] Berners-Lee, T., Fielding, R., [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
and L. Masinter, "Uniform Procedures", BCP 19, RFC 2978, October 2000.
Resource Identifiers (URI):
Generic Syntax", RFC 2396,
August 1998.
[draft-ietf-httpbis-p7-auth] Fielding, R., Ed. and J. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
Reschke, Ed., "Hypertext 10646", STD 63, RFC 3629, November 2003.
Transfer Protocol (HTTP/1.1):
Authentication", [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
draft-ietf-httpbis-p7-auth-23 Encodings", RFC 4648, October 2006.
(work in progress), July 2013.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for
Network Interchange", RFC 5198, March 2008.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for
Syntax Specifications: ABNF", STD 68, RFC 5234,
January 2008.
[RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in
Internationalization in the IETF", BCP 166, RFC 6365,
September 2011.
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1): Authentication",
RFC 7235, June 2014.
[USASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986.
7.2. Informative References 7.2. Informative References
[RFC2617] Franks, J., Hallam-Baker, P., [ISO-8859-1] International Organization for Standardization,
Hostetler, J., Lawrence, S., "Information technology -- 8-bit single-byte coded
Leach, P., Luotonen, A., and L. graphic character sets -- Part 1: Latin alphabet No.
Stewart, "HTTP Authentication: 1", ISO/IEC 8859-1:1998, 1998.
Basic and Digest Access
Authentication", RFC 2617,
June 1999.
[RFC5246] Dierks, T. and E. Rescorla, "The [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence,
Transport Layer Security (TLS) S., Leach, P., Luotonen, A., and L. Stewart, "HTTP
Protocol Version 1.2", RFC 5246, Authentication: Basic and Digest Access
August 2008. Authentication", RFC 2617, June 1999.
[draft-ietf-httpauth-digest-update] Shekh-Yusef, R. and D. Ahrens, [RFC2831] Leach, P. and C. Newman, "Using Digest Authentication
"HTTP Digest Update", draft- as a SASL Mechanism", RFC 2831, May 2000.
ietf-httpauth-digest-update-05
(work in progress),
September 2013.
Appendix A. Change Log (to be removed by RFC Editor before publication) [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
Security (TLS) Protocol Version 1.2", RFC 5246,
August 2008.
A.1. Since RFC 2617 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1): Semantics and Content",
RFC 7231, June 2014.
Appendix A. Changes from RFC 2617
The scheme definition has been rewritten to be consistent with newer
specifications such as [RFC7235].
The new authentication parameter "charset" has been added. It is
purely advisory, so existing implementations do not need to change,
unless they want to take advantage of the additional information
which previously wasn't available.
Appendix B. Deployment Considerations for the 'charset' Parameter
B.1. User Agents
User agents not implementing 'charset' will continue to work as
before, ignoring the new parameter.
User agents which already default to the UTF-8 encoding implement
'charset' by definition.
Other user agents can keep their default behavior, and switch to
UTF-8 when seeing the new parameter.
B.2. Origin Servers
Origin servers that do not support non-US-ASCII characters in
credentials do not require any changes to support 'charset'.
Origin servers that need to support non-US-ASCII characters, but
cannot use the UTF-8 character encoding scheme will not be affected;
they will continue to function as well or as badly as before.
Finally, origin servers that need to support non-US-ASCII characters
and can use the UTF-8 character encoding scheme can opt in as
described above. In the worst case, they'll continue to see either
broken credentials or no credentials at all (depending on how legacy
clients handle characters they can not encode).
B.3. Why not simply switch the default encoding to UTF-8?
There are sites in use today that default to a local character
encoding scheme, such as ISO-8859-1 ([ISO-8859-1]), and expect user
agents to use that encoding. Authentication on these sites will stop
to work if the user agent switches to a different encoding, such as
UTF-8.
Note that sites might even inspect the User-Agent header field
([RFC7231], Section 5.5.3) to decide what character encoding scheme
to expect from the client. Therefore they might support UTF-8 for
some user agents, but default to something else for others. User
agents in the latter group will have to continue to do what they do
today until the majority of these servers have been upgraded to
always use UTF-8.
Appendix C. Change Log (to be removed by RFC Editor before publication)
C.1. Since RFC 2617
This draft acts as a baseline for tracking subsequent changes to the This draft acts as a baseline for tracking subsequent changes to the
specification. As such, it extracts the definition of "Basic", plus specification. As such, it extracts the definition of "Basic", plus
the related Security Considerations, and also adds the IANA the related Security Considerations, and also adds the IANA
registration of the scheme. Changes to the actual definition will be registration of the scheme. Changes to the actual definition will be
made in subsequent drafts. made in subsequent drafts.
Appendix B. Open issues (to be removed by RFC Editor prior to C.2. Since draft-ietf-httpauth-basicauth-update-00
publication)
B.1. edit Fixed Base64 reference to point to an actual definition of Base64.
Type: edit Update HTTPbis and Digest references.
julian.reschke@greenbytes.de (2013-09-11): Umbrella issue for Note that this spec, together with HTTPbis P7 and the Digest update,
editorial fixes/enhancements. obsoletes RFC 2617.
B.2. upd Rewrote text about authentication parameters and their extensibility.
In Section 3: Pulled in the definition of the "charset" parameter.
Removed a misleading statement about userids potentially being case-
sensitive, as the same is true for passwords.
Added TODOs with respect to path matching, and colons in userids.
Appendix D. Open issues (to be removed by RFC Editor prior to
publication)
D.1. colon
In Section 2:
Type: change Type: change
julian.reschke@greenbytes.de (2013-09-12): Update the definition to julian.reschke@greenbytes.de (2014-07-03): Clients happily accept
reflect underlying changes (RFC2616->httpbis, RFC2396->2616, other colons in userids and just go on with the concatentation. Do we need
references). to say something about this?
B.3. enc D.2. depth
In Section 3: In Section 2.2:
Type: change Type: change
julian.reschke@greenbytes.de (2013-09-12): Fix the encoding issue, by julian.reschke@greenbytes.de (2014-07-03): This needs to be rewritten
pulling in draft-ietf-httpauth-basicauth-enc. in terms of effective request URI and terminology from RFC 3986.
Index Index
B B
base64-user-pass 4 base64-user-pass 6
basic-credentials 4 basic-credentials 6
C
challenge 3
credentials 3
P P
password 4 password 6
U U
user-pass 4 user-pass 6
userid 4 userid 6
Author's Address Author's Address
Julian F. Reschke Julian F. Reschke
greenbytes GmbH greenbytes GmbH
Hafenweg 16 Hafenweg 16
Muenster, NW 48155 Muenster, NW 48155
Germany Germany
EMail: julian.reschke@greenbytes.de EMail: julian.reschke@greenbytes.de
 End of changes. 52 change blocks. 
134 lines changed or deleted 353 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/