draft-ietf-httpauth-basicauth-update-05.txt   draft-ietf-httpauth-basicauth-update-06.txt 
HTTPAuth Working Group J. Reschke HTTPAuth Working Group J. Reschke
Internet-Draft greenbytes Internet-Draft greenbytes
Obsoletes: 2617 (if approved) January 16, 2015 Obsoletes: 2617 (if approved) February 12, 2015
Intended status: Standards Track Intended status: Standards Track
Expires: July 20, 2015 Expires: August 16, 2015
The 'Basic' HTTP Authentication Scheme The 'Basic' HTTP Authentication Scheme
draft-ietf-httpauth-basicauth-update-05 draft-ietf-httpauth-basicauth-update-06
Abstract Abstract
This document defines the "Basic" Hypertext Transfer Protocol (HTTP) This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
Authentication Scheme, which transmits credentials as userid/password Authentication Scheme, which transmits credentials as user-id/
pairs, obfuscated by the use of Base64 encoding. password pairs, encoded using Base64.
Editorial Note (To be removed by RFC Editor before publication) Editorial Note (To be removed by RFC Editor before publication)
Discussion of this draft takes place on the HTTPAuth working group Discussion of this draft takes place on the HTTPAuth working group
mailing list (http-auth@ietf.org), which is archived at <http:// mailing list (http-auth@ietf.org), which is archived at <http://
www.ietf.org/mail-archive/web/http-auth/current/maillist.html>. www.ietf.org/mail-archive/web/http-auth/current/maillist.html>.
XML versions, latest edits and the issues list for this document are XML versions, latest edits and the issues list for this document are
available from <http://greenbytes.de/tech/ available from <http://greenbytes.de/tech/
webdav/#draft-ietf-httpauth-basicauth-update>. webdav/#draft-ietf-httpauth-basicauth-update>.
The changes in this draft are summarized in Appendix C.6. The changes in this draft are summarized in Appendix C.7.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 20, 2015. This Internet-Draft will expire on August 16, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 22 skipping to change at page 3, line 22
2.2. Re-using Credentials . . . . . . . . . . . . . . . . . . . 8 2.2. Re-using Credentials . . . . . . . . . . . . . . . . . . . 8
3. Internationalization Considerations . . . . . . . . . . . . . 8 3. Internationalization Considerations . . . . . . . . . . . . . 8
4. Security Considerations . . . . . . . . . . . . . . . . . . . 9 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . . 11
Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . . 12 Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . . 12
Appendix B. Deployment Considerations for the 'charset' Appendix B. Deployment Considerations for the 'charset'
Parameter . . . . . . . . . . . . . . . . . . . . . . 12 Parameter . . . . . . . . . . . . . . . . . . . . . . 13
B.1. User Agents . . . . . . . . . . . . . . . . . . . . . . . 12 B.1. User Agents . . . . . . . . . . . . . . . . . . . . . . . 13
B.2. Origin Servers . . . . . . . . . . . . . . . . . . . . . . 13 B.2. Origin Servers . . . . . . . . . . . . . . . . . . . . . . 13
B.3. Why not simply switch the default encoding to UTF-8? . . . 13 B.3. Why not simply switch the default encoding to UTF-8? . . . 13
Appendix C. Change Log (to be removed by RFC Editor before Appendix C. Change Log (to be removed by RFC Editor before
publication) . . . . . . . . . . . . . . . . . . . . 13 publication) . . . . . . . . . . . . . . . . . . . . 13
C.1. Since RFC 2617 . . . . . . . . . . . . . . . . . . . . . . 13 C.1. Since RFC 2617 . . . . . . . . . . . . . . . . . . . . . . 14
C.2. Since draft-ietf-httpauth-basicauth-update-00 . . . . . . 13 C.2. Since draft-ietf-httpauth-basicauth-update-00 . . . . . . 14
C.3. Since draft-ietf-httpauth-basicauth-update-01 . . . . . . 14 C.3. Since draft-ietf-httpauth-basicauth-update-01 . . . . . . 14
C.4. Since draft-ietf-httpauth-basicauth-update-02 . . . . . . 14 C.4. Since draft-ietf-httpauth-basicauth-update-02 . . . . . . 14
C.5. Since draft-ietf-httpauth-basicauth-update-03 . . . . . . 14 C.5. Since draft-ietf-httpauth-basicauth-update-03 . . . . . . 14
C.6. Since draft-ietf-httpauth-basicauth-update-04 . . . . . . 14 C.6. Since draft-ietf-httpauth-basicauth-update-04 . . . . . . 15
C.7. Since draft-ietf-httpauth-basicauth-update-05 . . . . . . 15
1. Introduction 1. Introduction
This document defines the "Basic" Hypertext Transfer Protocol (HTTP) This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
Authentication Scheme, which transmits credentials as userid/password Authentication Scheme, which transmits credentials as user-id/
pairs, obfuscated by the use of Base64 encoding (HTTP authentication password pairs, encoded using Base64 (HTTP authentication schemes are
schemes are defined in [RFC7235]). defined in [RFC7235]).
This scheme is not considered to be a secure method of user This scheme is not considered to be a secure method of user
authentication unless used in conjunction with some external secure authentication unless used in conjunction with some external secure
system such as TLS (Transport Layer Security, [RFC5246]), as the user system such as TLS (Transport Layer Security, [RFC5246]), as the
name and password are passed over the network as cleartext. user-id and password are passed over the network as cleartext.
The "Basic" scheme previously was defined in Section 2 of [RFC2617]. The "Basic" scheme previously was defined in Section 2 of [RFC2617].
This document updates the definition, and also addresses This document updates the definition, and also addresses
internationalization issues by introducing the "charset" internationalization issues by introducing the "charset"
authentication parameter (Section 2.1). authentication parameter (Section 2.1).
Other documents updating RFC 2617 are "Hypertext Transfer Protocol Other documents updating RFC 2617 are "Hypertext Transfer Protocol
(HTTP/1.1): Authentication" ([RFC7235], defining the authentication (HTTP/1.1): Authentication" ([RFC7235], defining the authentication
framework) and "HTTP Digest Access Authentication" ([DIGEST], framework), "HTTP Digest Access Authentication" ([DIGEST], updating
updating the definition of the '"Digest" authentication scheme). the definition of the '"Digest" authentication scheme), and "The
Taken together, these three documents obsolete RFC 2617. Hypertext Transfer Protocol (HTTP) Authentication-Info and Proxy-
Authentication-Info Response Header Fields" ([AUTHINFO]). Taken
together, these four documents obsolete RFC 2617.
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.1.1. Syntax Notation 1.1.1. Syntax Notation
This specification uses the Augmented Backus-Naur Form (ABNF) This specification uses the Augmented Backus-Naur Form (ABNF)
skipping to change at page 4, line 48 skipping to change at page 4, line 50
The terms protection space and realm are defined in Section 2.2 of The terms protection space and realm are defined in Section 2.2 of
[RFC7235]. [RFC7235].
The terms (character) repertoire and character encoding scheme are The terms (character) repertoire and character encoding scheme are
defined in Section 2 of [RFC6365]. defined in Section 2 of [RFC6365].
2. The 'Basic' Authentication Scheme 2. The 'Basic' Authentication Scheme
The "Basic" authentication scheme is based on the model that the The "Basic" authentication scheme is based on the model that the
client needs to authenticate itself with a user-ID and a password for client needs to authenticate itself with a user-id and a password for
each protection space ("realm"). The realm value is an opaque string each protection space ("realm"). The realm value is a free-form
which can only be compared for equality with other realms on that string which can only be compared for equality with other realms on
server. The server will service the request only if it can validate that server. The server will service the request only if it can
the user-ID and password for the protection space applying to the validate the user-id and password for the protection space applying
requested resource. to the requested resource.
The "Basic" authentication scheme utilizes the Authentication The "Basic" authentication scheme utilizes the Authentication
Framework as follows: Framework as follows:
In challenges: In challenges:
o the scheme name is "Basic" o the scheme name is "Basic"
o the authentication parameter "realm" is REQUIRED ([RFC7235], o the authentication parameter "realm" is REQUIRED ([RFC7235],
Section 2.2) Section 2.2)
o the authentication parameter "charset" is OPTIONAL (see o the authentication parameter "charset" is OPTIONAL (see
Section 2.1) Section 2.1)
o no other authentication parameters are defined -- unknown o no other authentication parameters are defined -- unknown
parameters MUST be ignored by recipients, and new parameters can parameters MUST be ignored by recipients, and new parameters can
only be defined by revising this specification only be defined by revising this specification
See also Section 4.1 of [RFC7235] which discusses the complexity of
parsing challenges properly.
Note that both scheme and parameter names are matched case- Note that both scheme and parameter names are matched case-
insensitively. insensitively.
For credentials, the "token68" syntax defined in Section 2.1 of For credentials, the "token68" syntax defined in Section 2.1 of
[RFC7235] is used. The value is computed based on user-id and [RFC7235] is used. The value is computed based on user-id and
password as defined below. password as defined below.
Upon receipt of a request for a URI within the protection space that Upon receipt of a request for a URI within the protection space that
lacks credentials, the server can reply with a challenge using the lacks credentials, the server can reply with a challenge using the
401 (Unauthorized) status code ([RFC7235], Section 3.1) and the WWW- 401 (Unauthorized) status code ([RFC7235], Section 3.1) and the WWW-
skipping to change at page 6, line 4 skipping to change at page 6, line 7
WWW-Authenticate: Basic realm="WallyWorld" WWW-Authenticate: Basic realm="WallyWorld"
...where "WallyWorld" is the string assigned by the server to ...where "WallyWorld" is the string assigned by the server to
identify the protection space. identify the protection space.
A proxy can respond with a similar challenge using the 407 (Proxy A proxy can respond with a similar challenge using the 407 (Proxy
Authentication Required) status code ([RFC7235], Section 3.2) and the Authentication Required) status code ([RFC7235], Section 3.2) and the
Proxy-Authenticate header field ([RFC7235], Section 4.3). Proxy-Authenticate header field ([RFC7235], Section 4.3).
To receive authorization, the client To receive authorization, the client
1. obtains the userid and password from the user,
2. constructs the user-pass by concatenating userid, a single colon 1. obtains the user-id and password from the user,
2. constructs the user-pass by concatenating user-id, a single colon
(":") character, and the password, (":") character, and the password,
3. encodes the user-pass into an octet sequence (see below for a 3. encodes the user-pass into an octet sequence (see below for a
discussion of character encoding schemes), discussion of character encoding schemes),
4. and obtains the basic-credentials by encoding this octet sequence 4. and obtains the basic-credentials by encoding this octet sequence
using base64 ([RFC4648], Section 4) into a sequence of US-ASCII using base64 ([RFC4648], Section 4) into a sequence of US-ASCII
characters ([RFC0020]). characters ([RFC0020]).
The original definition of this authentication scheme failed to The original definition of this authentication scheme failed to
specify the character encoding scheme used to convert the user-pass specify the character encoding scheme used to convert the user-pass
into an octet sequence. In practice, most implementations chose into an octet sequence. In practice, most implementations chose
either a local-specific encoding such as ISO-8859-1 ([ISO-8859-1]), either a locale-specific encoding such as ISO-8859-1 ([ISO-8859-1]),
or UTF-8 ([RFC3629]). For backwards compatibility reasons, this or UTF-8 ([RFC3629]). For backwards compatibility reasons, this
specification continues to leave the default encoding undefined, as specification continues to leave the default encoding undefined, as
long as it is compatible with US-ASCII (mapping any US-ASCII long as it is compatible with US-ASCII (mapping any US-ASCII
character to a single octet matching the US-ASCII character code). character to a single octet matching the US-ASCII character code).
The userid and password MUST NOT contain any control characters (see The user-id and password MUST NOT contain any control characters (see
"CTL" in Appendix B.1 of [RFC5234]). "CTL" in Appendix B.1 of [RFC5234]).
Furthermore, a userid containing a colon character is invalid, as Furthermore, a user-id containing a colon character is invalid, as
recipients will split the user-pass at the first occurence of a colon recipients will split the user-pass at the first occurrence of a
character. Note that many user agents however will accept a colon in colon character. Note that many user agents however will accept a
userid, thereby producing a user-pass string that recipients will colon in user-id, thereby producing a user-pass string that
likely treat in a way not intended by the user. recipients will likely treat in a way not intended by the user.
If the user agent wishes to send the userid "Aladdin" and password If the user agent wishes to send the user-id "Aladdin" and password
"open sesame", it would use the following header field: "open sesame", it would use the following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
2.1. The 'charset' auth-param 2.1. The 'charset' auth-param
In challenges, servers can use the "charset" authentication parameter In challenges, servers can use the "charset" authentication parameter
to indicate the character encoding scheme they expect the user agent to indicate the character encoding scheme they expect the user agent
to use when generating "user-pass" (a sequence of octets). This to use when generating "user-pass" (a sequence of octets). This
information is purely advisory. information is purely advisory.
The only allowed value is "UTF-8", to be matched case-insensitively The only allowed value is "UTF-8", to be matched case-insensitively
(see [RFC2978], Section 2.3). It indicates that the server expects (see [RFC2978], Section 2.3). It indicates that the server expects
character data to be converted to Unicode Normalization Form C character data to be converted to Unicode Normalization Form C
("NFC", see Section 3 of [RFC5198]) and to be encoded into octets ("NFC", see Section 3 of [RFC5198]) and to be encoded into octets
using the UTF-8 character encoding scheme ([RFC3629]). using the UTF-8 character encoding scheme ([RFC3629]).
For the userid, recipients MUST support all characters defined in the For the user-id, recipients MUST support all characters defined in
"UsernameCasePreserved" profile defined in in Section 3.3 of the "UsernameCasePreserved" profile defined in in Section 3.3 of
[PRECIS], with the exception of the colon (":") character. [PRECIS], with the exception of the colon (":") character.
For the password, recipients MUST support all characters defined in For the password, recipients MUST support all characters defined in
the "OpaqueString" profile defined in in Section 4.2 of [PRECIS]. the "OpaqueString" profile defined in in Section 4.2 of [PRECIS].
Other values are reserved for future use. Other values are reserved for future use.
Note: The 'charset' is only defined on challenges, as "Basic" uses Note: The 'charset' is only defined on challenges, as "Basic" uses
a single token for credentials ('token68' syntax), thus the a single token for credentials ('token68' syntax), thus the
credentials syntax isn't extensible. credentials syntax isn't extensible.
skipping to change at page 8, line 18 skipping to change at page 8, line 20
request, the authentication scope of that request is obtained by request, the authentication scope of that request is obtained by
removing all characters after the last slash ("/") character of the removing all characters after the last slash ("/") character of the
path component ("hier_part", see [RFC3986], Section 3). A client path component ("hier_part", see [RFC3986], Section 3). A client
SHOULD assume that resources identified by URIs with a prefix-match SHOULD assume that resources identified by URIs with a prefix-match
of the authentication scope are also within the protection space of the authentication scope are also within the protection space
specified by the realm value of the that authenticated request. specified by the realm value of the that authenticated request.
A client MAY preemptively send the corresponding Authorization header A client MAY preemptively send the corresponding Authorization header
field with requests for resources in that space without receipt of field with requests for resources in that space without receipt of
another challenge from the server. Similarly, when a client sends a another challenge from the server. Similarly, when a client sends a
request to a proxy, it may reuse a userid and password in the Proxy- request to a proxy, it may reuse a user-id and password in the Proxy-
Authorization header field without receiving another challenge from Authorization header field without receiving another challenge from
the proxy server. the proxy server.
For example, given an authenticated request to: For example, given an authenticated request to:
http://example.com/docs/index.html http://example.com/docs/index.html
...requests to the URIs below could use the known credentials: ...requests to the URIs below could use the known credentials:
http://example.com/docs/ http://example.com/docs/
skipping to change at page 8, line 46 skipping to change at page 8, line 48
would be considered to be outside the authentication scope. would be considered to be outside the authentication scope.
Note that a URI can be part of multiple authentication scopes (such Note that a URI can be part of multiple authentication scopes (such
as "http://example.com/" and "http://example.com/docs/"). This as "http://example.com/" and "http://example.com/docs/"). This
specification does not define which of these should be treated with specification does not define which of these should be treated with
higher priority. higher priority.
3. Internationalization Considerations 3. Internationalization Considerations
User names or passwords containing characters outside the US-ASCII User-ids or passwords containing characters outside the US-ASCII
character repertoire will cause interoperability issues, unless both character repertoire will cause interoperability issues, unless both
communication partners agree on what character encoding scheme is to communication partners agree on what character encoding scheme is to
be used. Servers can use the new 'charset' parameter (Section 2.1) be used. Servers can use the new 'charset' parameter (Section 2.1)
to indicate a preference of "UTF-8", increasing the probability that to indicate a preference of "UTF-8", increasing the probability that
clients will switch to that encoding. clients will switch to that encoding.
The "realm" parameter carries data that can be considered textual, The "realm" parameter carries data that can be considered textual,
however [RFC7235] does not define a way to reliably transport non-US- however [RFC7235] does not define a way to reliably transport non-US-
ASCII characters. This is a known issue that would need to be ASCII characters. This is a known issue that would need to be
addressed in that specification. addressed in that specification.
skipping to change at page 9, line 27 skipping to change at page 9, line 28
The most serious flaw in Basic authentication is that it results in The most serious flaw in Basic authentication is that it results in
the cleartext transmission of the user's password over the physical the cleartext transmission of the user's password over the physical
network. Many other authentication schemes address this problem. network. Many other authentication schemes address this problem.
Because Basic authentication involves the cleartext transmission of Because Basic authentication involves the cleartext transmission of
passwords it SHOULD NOT be used (without enhancements such as HTTPS passwords it SHOULD NOT be used (without enhancements such as HTTPS
[RFC2818]) to protect sensitive or valuable information. [RFC2818]) to protect sensitive or valuable information.
A common use of Basic authentication is for identification purposes A common use of Basic authentication is for identification purposes
-- requiring the user to provide a user name and password as a means -- requiring the user to provide a user-id and password as a means of
of identification, for example, for purposes of gathering accurate identification, for example, for purposes of gathering accurate usage
usage statistics on a server. When used in this way it is tempting statistics on a server. When used in this way it is tempting to
to think that there is no danger in its use if illicit access to the think that there is no danger in its use if illicit access to the
protected documents is not a major concern. This is only correct if protected documents is not a major concern. This is only correct if
the server issues both user name and password to the users and in the server issues both user-id and password to the users and in
particular does not allow the user to choose his or her own password. particular does not allow the user to choose his or her own password.
The danger arises because naive users frequently reuse a single The danger arises because naive users frequently reuse a single
password to avoid the task of maintaining multiple passwords. password to avoid the task of maintaining multiple passwords.
If a server permits users to select their own passwords, then the If a server permits users to select their own passwords, then the
threat is not only unauthorized access to documents on the server but threat is not only unauthorized access to documents on the server but
also unauthorized access to any other resources on other systems that also unauthorized access to any other resources on other systems that
the user protects with the same password. Furthermore, in the the user protects with the same password. Furthermore, in the
server's password database, many of the passwords may also be users' server's password database, many of the passwords may also be users'
passwords for other sites. The owner or administrator of such a passwords for other sites. The owner or administrator of such a
system could therefore expose all users of the system to the risk of system could therefore expose all users of the system to the risk of
unauthorized access to all those sites if this information is not unauthorized access to all those sites if this information is not
maintained in a secure fashion. This raises both security and maintained in a secure fashion. This raises both security and
privacy concerns ([RFC6973]). If the same username and password privacy concerns ([RFC6973]). If the same user-id and password
combination is in use to access other accounts, such as an email or combination is in use to access other accounts, such as an email or
health portal account, personal information could be exposed. health portal account, personal information could be exposed.
Basic Authentication is also vulnerable to spoofing by counterfeit Basic Authentication is also vulnerable to spoofing by counterfeit
servers. If a user can be led to believe that he is connecting to a servers. If a user can be led to believe that he is connecting to a
host containing information protected by Basic authentication when, host containing information protected by Basic authentication when,
in fact, he is connecting to a hostile server or gateway, then the in fact, he is connecting to a hostile server or gateway, then the
attacker can request a password, store it for later use, and feign an attacker can request a password, store it for later use, and feign an
error. This type of attack is not possible with Digest error. This type of attack is not possible with Digest
Authentication. Server implementers SHOULD guard against the Authentication. Server implementers SHOULD guard against the
skipping to change at page 10, line 46 skipping to change at page 10, line 48
The internationalization problem with respect to the character The internationalization problem with respect to the character
encoding scheme used for user-pass has been reported as a Mozilla bug encoding scheme used for user-pass has been reported as a Mozilla bug
back in the year 2000 (see back in the year 2000 (see
<https://bugzilla.mozilla.org/show_bug.cgi?id=41489> and also the <https://bugzilla.mozilla.org/show_bug.cgi?id=41489> and also the
more recent <https://bugzilla.mozilla.org/show_bug.cgi?id=656213>). more recent <https://bugzilla.mozilla.org/show_bug.cgi?id=656213>).
It was Andrew Clover's idea to address it using a new auth-param. It was Andrew Clover's idea to address it using a new auth-param.
We also thank the members of the HTTPAuth Working Group and other We also thank the members of the HTTPAuth Working Group and other
reviewers, namely Stephen Farrell, Bjoern Hoehrmann, Kari Hurtta, reviewers, namely Stephen Farrell, Bjoern Hoehrmann, Kari Hurtta,
Amos Jeffries, Benjamin Kaduk, Michael Koeller, James Manger, Amos Jeffries, Benjamin Kaduk, Michael Koeller, Eric Lawrence, James
Kathleen Moriarty, Yaron Sheffer, Michael Sweet, and Martin Thomson Manger, Alexey Melnikov, Kathleen Moriarty, Yaron Sheffer, Michael
for feedback on this revision. Sweet, and Martin Thomson for feedback on this revision.
7. References 7. References
7.1. Normative References 7.1. Normative References
[PRECIS] Saint-Andre, P. and A. Melnikov, "Preparation, [PRECIS] Saint-Andre, P. and A. Melnikov, "Preparation,
Enforcement, and Comparison of Internationalized Enforcement, and Comparison of Internationalized
Strings Representing Usernames and Passwords", Strings Representing Usernames and Passwords",
draft-ietf-precis-saslprepbis-12 (work in progress), draft-ietf-precis-saslprepbis-13 (work in progress),
December 2014. December 2014.
[RFC0020] Cerf, V., "ASCII format for network interchange", [RFC0020] Cerf, V., "ASCII format for network interchange",
RFC 20, October 1969. RFC 20, October 1969.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2978] Freed, N. and J. Postel, "IANA Charset Registration [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
Procedures", BCP 19, RFC 2978, October 2000. Procedures", BCP 19, RFC 2978, October 2000.
skipping to change at page 11, line 48 skipping to change at page 11, line 51
[RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in
Internationalization in the IETF", BCP 166, RFC 6365, Internationalization in the IETF", BCP 166, RFC 6365,
September 2011. September 2011.
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1): Authentication", Transfer Protocol (HTTP/1.1): Authentication",
RFC 7235, June 2014. RFC 7235, June 2014.
7.2. Informative References 7.2. Informative References
[AUTHINFO] Reschke, J., "The Hypertext Transfer Protocol (HTTP)
Authentication-Info and Proxy-Authentication-Info
Response Header Fields",
draft-ietf-httpbis-auth-info-02 (work in progress),
February 2015.
[DIGEST] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP [DIGEST] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP
Digest Access Authentication", Digest Access Authentication",
draft-ietf-httpauth-digest-10 (work in progress), draft-ietf-httpauth-digest-13 (work in progress),
January 2015. February 2015.
[ISO-8859-1] International Organization for Standardization, [ISO-8859-1] International Organization for Standardization,
"Information technology -- 8-bit single-byte coded "Information technology -- 8-bit single-byte coded
graphic character sets -- Part 1: Latin alphabet No. graphic character sets -- Part 1: Latin alphabet No.
1", ISO/IEC 8859-1:1998, 1998. 1", ISO/IEC 8859-1:1998, 1998.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence,
S., Leach, P., Luotonen, A., and L. Stewart, "HTTP S., Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication: Basic and Digest Access
Authentication", RFC 2617, June 1999. Authentication", RFC 2617, June 1999.
skipping to change at page 13, line 21 skipping to change at page 13, line 31
credentials do not require any changes to support 'charset'. credentials do not require any changes to support 'charset'.
Origin servers that need to support non-US-ASCII characters, but Origin servers that need to support non-US-ASCII characters, but
cannot use the UTF-8 character encoding scheme will not be affected; cannot use the UTF-8 character encoding scheme will not be affected;
they will continue to function as well or as badly as before. they will continue to function as well or as badly as before.
Finally, origin servers that need to support non-US-ASCII characters Finally, origin servers that need to support non-US-ASCII characters
and can use the UTF-8 character encoding scheme can opt in as and can use the UTF-8 character encoding scheme can opt in as
described above. In the worst case, they'll continue to see either described above. In the worst case, they'll continue to see either
broken credentials or no credentials at all (depending on how legacy broken credentials or no credentials at all (depending on how legacy
clients handle characters they can not encode). clients handle characters they cannot encode).
B.3. Why not simply switch the default encoding to UTF-8? B.3. Why not simply switch the default encoding to UTF-8?
There are sites in use today that default to a local character There are sites in use today that default to a local character
encoding scheme, such as ISO-8859-1 ([ISO-8859-1]), and expect user encoding scheme, such as ISO-8859-1 ([ISO-8859-1]), and expect user
agents to use that encoding. Authentication on these sites will stop agents to use that encoding. Authentication on these sites will stop
to work if the user agent switches to a different encoding, such as to work if the user agent switches to a different encoding, such as
UTF-8. UTF-8.
Note that sites might even inspect the User-Agent header field Note that sites might even inspect the User-Agent header field
skipping to change at page 14, line 14 skipping to change at page 14, line 25
Update HTTPbis and Digest references. Update HTTPbis and Digest references.
Note that this spec, together with HTTPbis P7 and the Digest update, Note that this spec, together with HTTPbis P7 and the Digest update,
obsoletes RFC 2617. obsoletes RFC 2617.
Rewrote text about authentication parameters and their extensibility. Rewrote text about authentication parameters and their extensibility.
Pulled in the definition of the "charset" parameter. Pulled in the definition of the "charset" parameter.
Removed a misleading statement about userids potentially being case- Removed a misleading statement about user-ids potentially being case-
sensitive, as the same is true for passwords. sensitive, as the same is true for passwords.
Added TODOs with respect to path matching, and colons in userids. Added TODOs with respect to path matching, and colons in user-ids.
C.3. Since draft-ietf-httpauth-basicauth-update-01 C.3. Since draft-ietf-httpauth-basicauth-update-01
Minor improvements on Security Considerations. Minor improvements on Security Considerations.
Update Digest reference. Update Digest reference.
Rewrite scheme definition as algorithm rather than pseudo-ABNF. Rewrite scheme definition as algorithm rather than pseudo-ABNF.
Add a note about colons in userid. Add a note about colons in user-id.
Attempt to explain authentication scopes. Attempt to explain authentication scopes.
C.4. Since draft-ietf-httpauth-basicauth-update-02 C.4. Since draft-ietf-httpauth-basicauth-update-02
Reference draft-ietf-precis-saslprepbis for the set of characters Reference draft-ietf-precis-saslprepbis for the set of characters
that need to be supported in userids and passwords. that need to be supported in user-ids and passwords.
C.5. Since draft-ietf-httpauth-basicauth-update-03 C.5. Since draft-ietf-httpauth-basicauth-update-03
Update reference for draft-ietf-precis-saslprepbis (which renames Update reference for draft-ietf-precis-saslprepbis (which renames
"Password" to "OpaqueString"). "Password" to "OpaqueString").
Mention HTTPS as enhancement for securing the transmission of Mention HTTPS as enhancement for securing the transmission of
credentials. credentials.
Update DIGEST reference and change it to informative. Update DIGEST reference and change it to informative.
Use RFC 20 as reference for ASCII. Use RFC 20 as reference for ASCII.
C.6. Since draft-ietf-httpauth-basicauth-update-04 C.6. Since draft-ietf-httpauth-basicauth-update-04
Fixed definition of authentication scope. Updated DIGEST reference. Fixed definition of authentication scope. Updated DIGEST reference.
C.7. Since draft-ietf-httpauth-basicauth-update-05
Updated DIGEST and PRECIS references.
Avoid the term "obfuscated". Say "free-form string" instead of
"opaque string" in realm description.
Mention AUTHINFO as yet another draft that helps obsoleting RFC 2617.
Add a note about the complexity of parsing challenges correctly.
Author's Address Author's Address
Julian F. Reschke Julian F. Reschke
greenbytes GmbH greenbytes GmbH
Hafenweg 16 Hafenweg 16
Muenster, NW 48155 Muenster, NW 48155
Germany Germany
EMail: julian.reschke@greenbytes.de EMail: julian.reschke@greenbytes.de
URI: http://greenbytes.de/tech/webdav/ URI: http://greenbytes.de/tech/webdav/
 End of changes. 37 change blocks. 
57 lines changed or deleted 82 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/