XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication

My understanding is that Basic is essentially considered insecure.  I'd be 
surprised if modern browsers support it because it opens the way to a 
man-in-the-middle downgrade attack.  Hence I guess it's remained undefined 
for so long because even if it was fixed, nobody should use it.  I would be 
surprised if the draft mentioned below got anywhere in the IETF.

HTH,

Pete Cordell
Codalogic Ltd
Interface XML to C++ the easy way using C++ XML
data binding to convert XSD schemas to C++ classes.
Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com
for more info
----- Original Message ----- 
From: "David Lee" <dlee@calldei.com>
To: <xml-dev@lists.xml.org>
Sent: Sunday, January 29, 2012 7:53 PM
Subject: [xml-dev] RE: Encoding charset of HTTP Basic Authentication


> More study and I lucked on a spec
>
>
>
> http://tools.ietf.org/id/draft-reschke-basicauth-enc-00.html
>
>
>
> Seems a known and open problem (how long has this been in the wild ? How 
> did
> it ever work ?)
>
> So follow-on question ...
>
>
>
> Does anyone know if this spec or anything like it has been adopted ?
>
> Or do we just all assume the world is "USASCII" as usual ?
>
>
>
>
>
>
>
>
>
> ----------------------------------------
>
> David A. Lee
>
> dlee@calldei.com
>
> http://www.xmlsh.org
>
>
>
> From: David Lee [mailto:dlee@calldei.com]
> Sent: Sunday, January 29, 2012 2:43 PM
> To: xml-dev@lists.xml.org
> Subject: Encoding charset of HTTP Basic Authentication
>
>
>
> I know this is not an "xml" question but maybe someone on this list knows 
> or
> can point me to the right direction ?
>
>
>
> Is there a defined character set for the strings used in user/password in
> HTTP Basic Authentication ?
> I can't find any reference in the W3C specs
>
>
>
> http://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA
>
>
>
> It says its "Base64" encoded but that only makes sense on a byte array not 
> a
> string.
>
> So what encoding/charset is the string assumed to be ?
> I found some apache software that lets you specify this ... but is there 
> any
> 'standard' ?
>
>
>
> Example: if someone uses a   password like   "飯田西"
>
>
> What charset should be used to pass that to the base64 encoding ?
>
>
>
> ----------------------------------------
>
> David A. Lee
>
> dlee@calldei.com
>
> http://www.xmlsh.org
>
>
>
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS