idnits 2.17.1 draft-ietf-httpauth-basicauth-update-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC2617, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 28, 2015) is 2896 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-precis-saslprepbis has been published as RFC 7613 ** Obsolete normative reference: RFC 7235 (Obsoleted by RFC 9110) == Outdated reference: draft-ietf-httpbis-auth-info has been published as RFC 7615 == Outdated reference: draft-ietf-httpauth-digest has been published as RFC 7616 -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 2831 (Obsoleted by RFC 6331) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPAuth Working Group J. Reschke 3 Internet-Draft greenbytes 4 Obsoletes: 2617 (if approved) February 28, 2015 5 Intended status: Standards Track 6 Expires: September 1, 2015 8 The 'Basic' HTTP Authentication Scheme 9 draft-ietf-httpauth-basicauth-update-07 11 Abstract 13 This document defines the "Basic" Hypertext Transfer Protocol (HTTP) 14 Authentication Scheme, which transmits credentials as user-id/ 15 password pairs, encoded using Base64. 17 Editorial Note (To be removed by RFC Editor before publication) 19 Discussion of this draft takes place on the HTTPAuth working group 20 mailing list (http-auth@ietf.org), which is archived at . 23 XML versions, latest edits and the issues list for this document are 24 available from . 27 The changes in this draft are summarized in Appendix C.8. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on September 1, 2015. 46 Copyright Notice 48 Copyright (c) 2015 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 This document may contain material from IETF Documents or IETF 62 Contributions published or made publicly available before November 63 10, 2008. The person(s) controlling the copyright in some of this 64 material may not have granted the IETF Trust the right to allow 65 modifications of such material outside the IETF Standards Process. 66 Without obtaining an adequate license from the person(s) controlling 67 the copyright in such materials, this document may not be modified 68 outside the IETF Standards Process, and derivative works of it may 69 not be created outside the IETF Standards Process, except to format 70 it for publication as an RFC or to translate it into languages other 71 than English. 73 Table of Contents 75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 76 1.1. Terminology and Notation . . . . . . . . . . . . . . . . . 4 77 2. The 'Basic' Authentication Scheme . . . . . . . . . . . . . . 4 78 2.1. The 'charset' auth-param . . . . . . . . . . . . . . . . . 6 79 2.2. Re-using Credentials . . . . . . . . . . . . . . . . . . . 8 80 3. Internationalization Considerations . . . . . . . . . . . . . 8 81 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9 82 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 83 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 84 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 85 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 86 7.2. Informative References . . . . . . . . . . . . . . . . . . 12 87 Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . . 13 88 Appendix B. Deployment Considerations for the 'charset' 89 Parameter . . . . . . . . . . . . . . . . . . . . . . 13 90 B.1. User Agents . . . . . . . . . . . . . . . . . . . . . . . 13 91 B.2. Servers . . . . . . . . . . . . . . . . . . . . . . . . . 13 92 B.3. Why not simply switch the default encoding to UTF-8? . . . 14 93 Appendix C. Change Log (to be removed by RFC Editor before 94 publication) . . . . . . . . . . . . . . . . . . . . 14 95 C.1. Since RFC 2617 . . . . . . . . . . . . . . . . . . . . . . 14 96 C.2. Since draft-ietf-httpauth-basicauth-update-00 . . . . . . 14 97 C.3. Since draft-ietf-httpauth-basicauth-update-01 . . . . . . 15 98 C.4. Since draft-ietf-httpauth-basicauth-update-02 . . . . . . 15 99 C.5. Since draft-ietf-httpauth-basicauth-update-03 . . . . . . 15 100 C.6. Since draft-ietf-httpauth-basicauth-update-04 . . . . . . 15 101 C.7. Since draft-ietf-httpauth-basicauth-update-05 . . . . . . 15 102 C.8. Since draft-ietf-httpauth-basicauth-update-06 . . . . . . 15 104 1. Introduction 106 This document defines the "Basic" Hypertext Transfer Protocol (HTTP) 107 Authentication Scheme, which transmits credentials as user-id/ 108 password pairs, encoded using Base64 (HTTP authentication schemes are 109 defined in [RFC7235]). 111 This scheme is not considered to be a secure method of user 112 authentication unless used in conjunction with some external secure 113 system such as TLS (Transport Layer Security, [RFC5246]), as the 114 user-id and password are passed over the network as cleartext. 116 The "Basic" scheme previously was defined in Section 2 of [RFC2617]. 117 This document updates the definition, and also addresses 118 internationalization issues by introducing the "charset" 119 authentication parameter (Section 2.1). 121 Other documents updating RFC 2617 are "Hypertext Transfer Protocol 122 (HTTP/1.1): Authentication" ([RFC7235], defining the authentication 123 framework), "HTTP Digest Access Authentication" ([DIGEST], updating 124 the definition of the "Digest" authentication scheme), and "The 125 Hypertext Transfer Protocol (HTTP) Authentication-Info and Proxy- 126 Authentication-Info Response Header Fields" ([AUTHINFO]). Taken 127 together, these four documents obsolete RFC 2617. 129 1.1. Terminology and Notation 131 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 132 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 133 document are to be interpreted as described in [RFC2119]. 135 The terms protection space and realm are defined in Section 2.2 of 136 [RFC7235]. 138 The terms (character) repertoire and character encoding scheme are 139 defined in Section 2 of [RFC6365]. 141 2. The 'Basic' Authentication Scheme 143 The "Basic" authentication scheme is based on the model that the 144 client needs to authenticate itself with a user-id and a password for 145 each protection space ("realm"). The realm value is a free-form 146 string which can only be compared for equality with other realms on 147 that server. The server will service the request only if it can 148 validate the user-id and password for the protection space applying 149 to the requested resource. 151 The "Basic" authentication scheme utilizes the Authentication 152 Framework as follows: 154 In challenges: 156 o the scheme name is "Basic" 158 o the authentication parameter "realm" is REQUIRED ([RFC7235], 159 Section 2.2) 161 o the authentication parameter "charset" is OPTIONAL (see 162 Section 2.1) 164 o no other authentication parameters are defined -- unknown 165 parameters MUST be ignored by recipients, and new parameters can 166 only be defined by revising this specification 168 See also Section 4.1 of [RFC7235] which discusses the complexity of 169 parsing challenges properly. 171 Note that both scheme and parameter names are matched case- 172 insensitively. 174 For credentials, the "token68" syntax defined in Section 2.1 of 175 [RFC7235] is used. The value is computed based on user-id and 176 password as defined below. 178 Upon receipt of a request for a URI within the protection space that 179 lacks credentials, the server can reply with a challenge using the 180 401 (Unauthorized) status code ([RFC7235], Section 3.1) and the WWW- 181 Authenticate header field ([RFC7235], Section 4.1). 183 For instance: 185 HTTP/1.1 401 Unauthorized 186 Date: Mon, 04 Feb 2014 16:50:53 GMT 187 WWW-Authenticate: Basic realm="WallyWorld" 189 ...where "WallyWorld" is the string assigned by the server to 190 identify the protection space. 192 A proxy can respond with a similar challenge using the 407 (Proxy 193 Authentication Required) status code ([RFC7235], Section 3.2) and the 194 Proxy-Authenticate header field ([RFC7235], Section 4.3). 196 To receive authorization, the client 197 1. obtains the user-id and password from the user, 199 2. constructs the user-pass by concatenating the user-id, a single 200 colon (":") character, and the password, 202 3. encodes the user-pass into an octet sequence (see below for a 203 discussion of character encoding schemes), 205 4. and obtains the basic-credentials by encoding this octet sequence 206 using base64 ([RFC4648], Section 4) into a sequence of US-ASCII 207 characters ([RFC0020]). 209 The original definition of this authentication scheme failed to 210 specify the character encoding scheme used to convert the user-pass 211 into an octet sequence. In practice, most implementations chose 212 either a locale-specific encoding such as ISO-8859-1 ([ISO-8859-1]), 213 or UTF-8 ([RFC3629]). For backwards compatibility reasons, this 214 specification continues to leave the default encoding undefined, as 215 long as it is compatible with US-ASCII (mapping any US-ASCII 216 character to a single octet matching the US-ASCII character code). 218 The user-id and password MUST NOT contain any control characters (see 219 "CTL" in Appendix B.1 of [RFC5234]). 221 Furthermore, a user-id containing a colon character is invalid, as 222 the first colon in a user-pass string separates user-id and password 223 from one another; text after the first colon is part of the password. 224 User-ids containing colons cannot be encoded in user-pass strings. 226 Note that many user agents produce user-pass strings without checking 227 that user-ids supplied by users do not contain colons; recipients 228 will then treat part of the username input as part of the password. 230 If the user agent wishes to send the user-id "Aladdin" and password 231 "open sesame", it would use the following header field: 233 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== 235 2.1. The 'charset' auth-param 237 In challenges, servers can use the "charset" authentication parameter 238 to indicate the character encoding scheme they expect the user agent 239 to use when generating "user-pass" (a sequence of octets). This 240 information is purely advisory. 242 The only allowed value is "UTF-8", to be matched case-insensitively 243 (see [RFC2978], Section 2.3). It indicates that the server expects 244 character data to be converted to Unicode Normalization Form C 245 ("NFC", see Section 3 of [RFC5198]) and to be encoded into octets 246 using the UTF-8 character encoding scheme ([RFC3629]). 248 For the user-id, recipients MUST support all characters defined in 249 the "UsernameCasePreserved" profile defined in in Section 3.3 of 250 [PRECIS], with the exception of the colon (":") character. 252 For the password, recipients MUST support all characters defined in 253 the "OpaqueString" profile defined in in Section 4.2 of [PRECIS]. 255 Other values are reserved for future use. 257 Note: The 'charset' is only defined on challenges, as "Basic" uses 258 a single token for credentials ('token68' syntax); thus the 259 credentials syntax isn't extensible. 261 Note: The name 'charset' has been chosen for consistency with 262 Section 2.1.1 of [RFC2831]. A better name would have been 263 'accept-charset', as it is not about the message it appears in, 264 but the server's expectation. 266 In the example below, the server prompts for authentication in the 267 "foo" realm, using Basic authentication, with a preference for the 268 UTF-8 character encoding scheme: 270 WWW-Authenticate: Basic realm="foo", charset="UTF-8" 272 Note that the parameter value can be either a token or a quoted 273 string; in this case the server chose to use the quoted-string 274 notation. 276 The user's name is "test", and the password is the string "123" 277 followed by the Unicode character U+00A3 (POUND SIGN). Using the 278 character encoding scheme UTF-8, the user-pass becomes: 280 't' 'e' 's' 't' ':' '1' '2' '3' pound 281 74 65 73 74 3A 31 32 33 C2 A3 283 Encoding this octet sequence in Base64 ([RFC4648], Section 4) yields: 285 dGVzdDoxMjPCow== 287 Thus the Authorization header field would be: 289 Authorization: Basic dGVzdDoxMjPCow== 291 Or, for proxy authentication: 293 Proxy-Authorization: Basic dGVzdDoxMjPCow== 295 2.2. Re-using Credentials 297 Given the absolute URI ([RFC3986], Section 4.3) of an authenticated 298 request, the authentication scope of that request is obtained by 299 removing all characters after the last slash ("/") character of the 300 path component ("hier_part", see [RFC3986], Section 3). A client 301 SHOULD assume that resources identified by URIs with a prefix-match 302 of the authentication scope are also within the protection space 303 specified by the realm value of that authenticated request. 305 A client MAY preemptively send the corresponding Authorization header 306 field with requests for resources in that space without receipt of 307 another challenge from the server. Similarly, when a client sends a 308 request to a proxy, it MAY reuse a user-id and password in the Proxy- 309 Authorization header field without receiving another challenge from 310 the proxy server. 312 For example, given an authenticated request to: 314 http://example.com/docs/index.html 316 ...requests to the URIs below could use the known credentials: 318 http://example.com/docs/ 319 http://example.com/docs/test.doc 320 http://example.com/docs/?page=1 322 ...while the URIs 324 http://example.com/other/ 325 https://example.com/docs/ 327 would be considered to be outside the authentication scope. 329 Note that a URI can be part of multiple authentication scopes (such 330 as "http://example.com/" and "http://example.com/docs/"). This 331 specification does not define which of these should be treated with 332 higher priority. 334 3. Internationalization Considerations 336 User-ids or passwords containing characters outside the US-ASCII 337 character repertoire will cause interoperability issues, unless both 338 communication partners agree on what character encoding scheme is to 339 be used. Servers can use the new 'charset' parameter (Section 2.1) 340 to indicate a preference of "UTF-8", increasing the probability that 341 clients will switch to that encoding. 343 The "realm" parameter carries data that can be considered textual, 344 however [RFC7235] does not define a way to reliably transport non-US- 345 ASCII characters. This is a known issue that would need to be 346 addressed in a revision to that specification. 348 4. Security Considerations 350 The Basic authentication scheme is not a secure method of user 351 authentication, nor does it in any way protect the entity, which is 352 transmitted in cleartext across the physical network used as the 353 carrier. HTTP does not prevent the addition of enhancements (such as 354 schemes to use one-time passwords) to Basic authentication. 356 The most serious flaw in Basic authentication is that it results in 357 the cleartext transmission of the user's password over the physical 358 network. Many other authentication schemes address this problem. 360 Because Basic authentication involves the cleartext transmission of 361 passwords it SHOULD NOT be used (without enhancements such as HTTPS 362 [RFC2818]) to protect sensitive or valuable information. 364 A common use of Basic authentication is for identification purposes 365 -- requiring the user to provide a user-id and password as a means of 366 identification, for example, for purposes of gathering accurate usage 367 statistics on a server. When used in this way it is tempting to 368 think that there is no danger in its use if illicit access to the 369 protected documents is not a major concern. This is only correct if 370 the server issues both user-id and password to the users and in 371 particular does not allow the user to choose his or her own password. 372 The danger arises because naive users frequently reuse a single 373 password to avoid the task of maintaining multiple passwords. 375 If a server permits users to select their own passwords, then the 376 threat is not only unauthorized access to documents on the server but 377 also unauthorized access to any other resources on other systems that 378 the user protects with the same password. Furthermore, in the 379 server's password database, many of the passwords may also be users' 380 passwords for other sites. The owner or administrator of such a 381 system could therefore expose all users of the system to the risk of 382 unauthorized access to all those other sites if this information is 383 not maintained in a secure fashion. This raises both security and 384 privacy concerns ([RFC6973]). If the same user-id and password 385 combination is in use to access other accounts, such as an email or 386 health portal account, personal information could be exposed. 388 Basic authentication is also vulnerable to spoofing by counterfeit 389 servers. If a user can be led to believe that she is connecting to a 390 host containing information protected by Basic authentication when, 391 in fact, she is connecting to a hostile server or gateway, then the 392 attacker can request a password, store it for later use, and feign an 393 error. Server implementers ought to guard against this sort of 394 counterfeiting; in particular, software components which can take 395 over control over the message framing on an existing connection (for 396 instance, "NPH" ("non parsing of headers") scripts) need to be used 397 carefully or not at all. 399 Servers and proxies implementing Basic Authentication need to store 400 user passwords in some form in order to authenticate a request. 401 These passwords ought to be be stored in such a way that a leak of 402 the password data doesn't make them trivially recoverable. This is 403 especially important when users are allowed to set their own 404 passwords, since users are known to choose weak passwords and to 405 reuse them across authentication realms. While a full discussion of 406 good password hashing techniques is beyond the scope of this 407 document, server operators ought to make an effort to minimize risks 408 to their users in the event of a password data leak. For example, 409 servers ought to avoid storing user passwords in plaintext or as 410 unsalted digests. For more discussion about modern password hashing 411 techniques, see the "Password Hashing Competition" 412 (). 414 The use of the UTF-8 character encoding scheme and of normalization 415 introduces additional security considerations; see Section 10 of 416 [RFC3629] and Section 6 of [RFC5198] for more information. 418 5. IANA Considerations 420 IANA maintains the registry of HTTP Authentication Schemes 421 ([RFC7235]) at . 423 The entry for the "Basic" Authentication Scheme shall be updated by 424 replacing the reference with a pointer to this specification. 426 6. Acknowledgements 428 This specification takes over the definition of the "Basic" HTTP 429 Authentication Scheme, previously defined in RFC 2617. We thank John 430 Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. 431 Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for 432 their work on that specification, from which significant amounts of 433 text were borrowed. See Section 6 of [RFC2617] for further 434 acknowledgements. 436 The internationalization problem with respect to the character 437 encoding scheme used for user-pass was reported as a Mozilla bug back 438 in the year 2000 (see 439 and also the 440 more recent ). 441 It was Andrew Clover's idea to address it using a new auth-param. 443 We also thank the members of the HTTPAuth Working Group and other 444 reviewers, namely Stephen Farrell, Roy Fielding, Bjoern Hoehrmann, 445 Daniel Kahn Gillmor, Tony Hansen, Kari Hurtta, Amos Jeffries, 446 Benjamin Kaduk, Michael Koeller, Eric Lawrence, Barry Leiba, James 447 Manger, Alexey Melnikov, Kathleen Moriarty, Juergen Schoenwaelder, 448 Yaron Sheffer, Meral Shirazipour, Michael Sweet, and Martin Thomson 449 for feedback on this revision. 451 7. References 453 7.1. Normative References 455 [PRECIS] Saint-Andre, P. and A. Melnikov, "Preparation, 456 Enforcement, and Comparison of Internationalized 457 Strings Representing Usernames and Passwords", 458 draft-ietf-precis-saslprepbis-13 (work in progress), 459 December 2014. 461 [RFC0020] Cerf, V., "ASCII format for network interchange", 462 RFC 20, October 1969. 464 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 465 Requirement Levels", BCP 14, RFC 2119, March 1997. 467 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 468 Procedures", BCP 19, RFC 2978, October 2000. 470 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 471 10646", STD 63, RFC 3629, November 2003. 473 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, 474 "Uniform Resource Identifier (URI): Generic Syntax", 475 STD 66, RFC 3986, January 2005. 477 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 478 Encodings", RFC 4648, October 2006. 480 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for 481 Network Interchange", RFC 5198, March 2008. 483 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for 484 Syntax Specifications: ABNF", STD 68, RFC 5234, 485 January 2008. 487 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 488 Internationalization in the IETF", BCP 166, RFC 6365, 489 September 2011. 491 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext 492 Transfer Protocol (HTTP/1.1): Authentication", 493 RFC 7235, June 2014. 495 7.2. Informative References 497 [AUTHINFO] Reschke, J., "The Hypertext Transfer Protocol (HTTP) 498 Authentication-Info and Proxy-Authentication-Info 499 Response Header Fields", 500 draft-ietf-httpbis-auth-info-02 (work in progress), 501 February 2015. 503 [DIGEST] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP 504 Digest Access Authentication", 505 draft-ietf-httpauth-digest-14 (work in progress), 506 February 2015. 508 [ISO-8859-1] International Organization for Standardization, 509 "Information technology -- 8-bit single-byte coded 510 graphic character sets -- Part 1: Latin alphabet No. 511 1", ISO/IEC 8859-1:1998, 1998. 513 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, 514 S., Leach, P., Luotonen, A., and L. Stewart, "HTTP 515 Authentication: Basic and Digest Access 516 Authentication", RFC 2617, June 1999. 518 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 520 [RFC2831] Leach, P. and C. Newman, "Using Digest Authentication 521 as a SASL Mechanism", RFC 2831, May 2000. 523 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer 524 Security (TLS) Protocol Version 1.2", RFC 5246, 525 August 2008. 527 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 528 Morris, J., Hansen, M., and R. Smith, "Privacy 529 Considerations for Internet Protocols", RFC 6973, 530 July 2013. 532 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext 533 Transfer Protocol (HTTP/1.1): Semantics and Content", 534 RFC 7231, June 2014. 536 Appendix A. Changes from RFC 2617 538 The scheme definition has been rewritten to be consistent with newer 539 specifications such as [RFC7235]. 541 The new authentication parameter "charset" has been added. It is 542 purely advisory, so existing implementations do not need to change, 543 unless they want to take advantage of the additional information 544 which previously wasn't available. 546 Appendix B. Deployment Considerations for the 'charset' Parameter 548 B.1. User Agents 550 User agents not implementing 'charset' will continue to work as 551 before, ignoring the new parameter. 553 User agents which already default to the UTF-8 encoding implement 554 'charset' by definition. 556 Other user agents can keep their default behavior, and switch to 557 UTF-8 when seeing the new parameter. 559 B.2. Servers 561 Servers that do not support non-US-ASCII characters in credentials do 562 not require any changes to support 'charset'. 564 Servers that need to support non-US-ASCII characters, but cannot use 565 the UTF-8 character encoding scheme will not be affected; they will 566 continue to function as well or as badly as before. 568 Finally, servers that need to support non-US-ASCII characters and can 569 use the UTF-8 character encoding scheme can opt in by specifying the 570 charset parameter in the authentication challenge. Clients that do 571 understand the charset parameter will then start to use UTF-8, while 572 other clients will continue to send credentials in their default 573 encoding, broken credentials, or no credentials at all. Until all 574 clients are upgraded to support UTF-8, servers are likely to see both 575 UTF-8 and "legacy" encodings in requests. When processing as UTF-8 576 fails (due to a failure to decode as UTF-8 or a mismatch of user-id/ 577 password), a server might try a fallback to the previously supported 578 legacy encoding in order to accomodate these legacy clients. Note 579 that implicit retries need to be done carefully; for instance, some 580 subsystems might detect repeated login failures and treat them as 581 potential credentials guessing attack. 583 B.3. Why not simply switch the default encoding to UTF-8? 585 There are sites in use today that default to a local character 586 encoding scheme, such as ISO-8859-1 ([ISO-8859-1]), and expect user 587 agents to use that encoding. Authentication on these sites will stop 588 working if the user agent switches to a different encoding, such as 589 UTF-8. 591 Note that sites might even inspect the User-Agent header field 592 ([RFC7231], Section 5.5.3) to decide which character encoding scheme 593 to expect from the client. Therefore they might support UTF-8 for 594 some user agents, but default to something else for others. User 595 agents in the latter group will have to continue to do what they do 596 today until the majority of these servers have been upgraded to 597 always use UTF-8. 599 Appendix C. Change Log (to be removed by RFC Editor before publication) 601 C.1. Since RFC 2617 603 This draft acts as a baseline for tracking subsequent changes to the 604 specification. As such, it extracts the definition of "Basic", plus 605 the related Security Considerations, and also adds the IANA 606 registration of the scheme. Changes to the actual definition will be 607 made in subsequent drafts. 609 C.2. Since draft-ietf-httpauth-basicauth-update-00 611 Fixed Base64 reference to point to an actual definition of Base64. 613 Update HTTPbis and Digest references. 615 Note that this spec, together with HTTPbis P7 and the Digest update, 616 obsoletes RFC 2617. 618 Rewrote text about authentication parameters and their extensibility. 620 Pulled in the definition of the "charset" parameter. 622 Removed a misleading statement about user-ids potentially being case- 623 sensitive, as the same is true for passwords. 625 Added TODOs with respect to path matching, and colons in user-ids. 627 C.3. Since draft-ietf-httpauth-basicauth-update-01 629 Minor improvements on Security Considerations. 631 Update Digest reference. 633 Rewrite scheme definition as algorithm rather than pseudo-ABNF. 635 Add a note about colons in user-id. 637 Attempt to explain authentication scopes. 639 C.4. Since draft-ietf-httpauth-basicauth-update-02 641 Reference draft-ietf-precis-saslprepbis for the set of characters 642 that need to be supported in user-ids and passwords. 644 C.5. Since draft-ietf-httpauth-basicauth-update-03 646 Update reference for draft-ietf-precis-saslprepbis (which renames 647 "Password" to "OpaqueString"). 649 Mention HTTPS as enhancement for securing the transmission of 650 credentials. 652 Update DIGEST reference and change it to informative. 654 Use RFC 20 as reference for ASCII. 656 C.6. Since draft-ietf-httpauth-basicauth-update-04 658 Fixed definition of authentication scope. Updated DIGEST reference. 660 C.7. Since draft-ietf-httpauth-basicauth-update-05 662 Updated DIGEST and PRECIS references. 664 Avoid the term "obfuscated". Say "free-form string" instead of 665 "opaque string" in realm description. 667 Mention AUTHINFO as yet another draft that helps obsoleting RFC 2617. 669 Add a note about the complexity of parsing challenges correctly. 671 C.8. Since draft-ietf-httpauth-basicauth-update-06 673 Clarify IANA action. 675 Remove leftover statement about use of ABNF (which was changed in 676 -02). 678 Security considerations: mention normalization and password storage. 679 Rewrite advice on counterfeiting attacks. 681 Update DIGEST reference. 683 Rewrite text about colons in user-id. 685 Expand deployment guidance. 687 Author's Address 689 Julian F. Reschke 690 greenbytes GmbH 691 Hafenweg 16 692 Muenster, NW 48155 693 Germany 695 EMail: julian.reschke@greenbytes.de 696 URI: http://greenbytes.de/tech/webdav/