idnits 2.17.1 draft-ietf-httpauth-basicauth-update-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC2617, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 27, 2014) is 3469 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-19) exists of draft-ietf-httpauth-digest-08 ** Obsolete normative reference: RFC 7235 (Obsoleted by RFC 9110) -- Possible downref: Non-RFC (?) normative reference: ref. 'USASCII' -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 2831 (Obsoleted by RFC 6331) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPAuth Working Group J. Reschke 3 Internet-Draft greenbytes 4 Obsoletes: 2617 (if approved) October 27, 2014 5 Intended status: Standards Track 6 Expires: April 30, 2015 8 The 'Basic' HTTP Authentication Scheme 9 draft-ietf-httpauth-basicauth-update-02 11 Abstract 13 This document defines the "Basic" Hypertext Transfer Protocol (HTTP) 14 Authentication Scheme, which transmits credentials as userid/password 15 pairs, obfuscated by the use of Base64 encoding. 17 Editorial Note (To be removed by RFC Editor before publication) 19 Discussion of this draft takes place on the HTTPAuth working group 20 mailing list (http-auth@ietf.org), which is archived at . 23 XML versions, latest edits and the issues list for this document are 24 available from . 27 The changes in this draft are summarized in Appendix C.2. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on April 30, 2015. 46 Copyright Notice 48 Copyright (c) 2014 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 This document may contain material from IETF Documents or IETF 62 Contributions published or made publicly available before November 63 10, 2008. The person(s) controlling the copyright in some of this 64 material may not have granted the IETF Trust the right to allow 65 modifications of such material outside the IETF Standards Process. 66 Without obtaining an adequate license from the person(s) controlling 67 the copyright in such materials, this document may not be modified 68 outside the IETF Standards Process, and derivative works of it may 69 not be created outside the IETF Standards Process, except to format 70 it for publication as an RFC or to translate it into languages other 71 than English. 73 Table of Contents 75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 76 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 77 1.1.1. Syntax Notation . . . . . . . . . . . . . . . . . . . 4 78 2. The 'Basic' Authentication Scheme . . . . . . . . . . . . . . 4 79 2.1. The 'charset' auth-param . . . . . . . . . . . . . . . . . 6 80 2.2. Re-using Credentials . . . . . . . . . . . . . . . . . . . 7 81 3. Internationalization Considerations . . . . . . . . . . . . . 8 82 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 83 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 84 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 85 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 86 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 87 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 88 Appendix A. Changes from RFC 2617 . . . . . . . . . . . . . . . . 12 89 Appendix B. Deployment Considerations for the 'charset' 90 Parameter . . . . . . . . . . . . . . . . . . . . . . 12 91 B.1. User Agents . . . . . . . . . . . . . . . . . . . . . . . 12 92 B.2. Origin Servers . . . . . . . . . . . . . . . . . . . . . . 12 93 B.3. Why not simply switch the default encoding to UTF-8? . . . 13 94 Appendix C. Change Log (to be removed by RFC Editor before 95 publication) . . . . . . . . . . . . . . . . . . . . 13 96 C.1. Since RFC 2617 . . . . . . . . . . . . . . . . . . . . . . 13 97 C.2. Since draft-ietf-httpauth-basicauth-update-00 . . . . . . 13 98 C.3. Since draft-ietf-httpauth-basicauth-update-01 . . . . . . 13 100 1. Introduction 102 This document defines the "Basic" Hypertext Transfer Protocol (HTTP) 103 Authentication Scheme ([RFC7235]), which transmits credentials as 104 userid/password pairs, obfuscated by the use of Base64 encoding. 106 This scheme is not considered to be a secure method of user 107 authentication unless used in conjunction with some external secure 108 system such as TLS (Transport Layer Security, [RFC5246]), as the user 109 name and password are passed over the network as cleartext. 111 The "Basic" scheme previously was defined in Section 2 of [RFC2617]. 112 This document updates the definition, and also addresses 113 internationalization issues by introducing the "charset" 114 authentication parameter (Section 2.1). 116 Other documents updating RFC 2617 are "Hypertext Transfer Protocol 117 (HTTP/1.1): Authentication" ([RFC7235], defining the authentication 118 framework) and "HTTP Digest Access Authentication" ([DIGEST], 119 updating the definition of the '"Digest" authentication scheme). 120 Taken together, these three documents obsolete RFC 2617. 122 1.1. Notational Conventions 124 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 125 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 126 document are to be interpreted as described in [RFC2119]. 128 1.1.1. Syntax Notation 130 This specification uses the Augmented Backus-Naur Form (ABNF) 131 notation of [RFC5234]. 133 The terms protection space and realm are defined in Section 2.2 of 134 [RFC7235]. 136 The terms (character) repertoire and character encoding scheme are 137 defined in Section 2 of [RFC6365]. 139 2. The 'Basic' Authentication Scheme 141 The "Basic" authentication scheme is based on the model that the 142 client needs to authenticate itself with a user-ID and a password for 143 each protection space ("realm"). The realm value is an opaque string 144 which can only be compared for equality with other realms on that 145 server. The server will service the request only if it can validate 146 the user-ID and password for the protection space applying to the 147 requested resource. 149 The "Basic" authentication scheme utilizes the Authentication 150 Framework as follows: 152 In challenges: 154 o the scheme name is "Basic" 156 o the authentication parameter "realm" is REQUIRED ([RFC7235], 157 Section 2.2) 159 o the authentication parameter "charset" is OPTIONAL (see 160 Section 2.1) 162 o no other authentication parameters are defined -- unknown 163 parameters MUST be ignored by recipients, and new parameters can 164 only be defined by revising this specification 166 Note that both scheme and parameter names are matched case- 167 insensitively. 169 For credentials, the "token-68" syntax defined in Section 2.2 of 170 [RFC7235] is used. The value is computed based on user-id and 171 password as defined below. 173 Upon receipt of a request for a URI within the protection space that 174 lacks credentials, the server can reply with a challenge using the 175 401 (Unauthorized) status code ([RFC7235], Section 3.1) and the WWW- 176 Authenticate header field ([RFC7235], Section 4.1). 178 For instance: 180 HTTP/1.1 401 Unauthorized 181 Date: Mon, 04 Feb 2014 16:50:53 GMT 182 WWW-Authenticate: Basic realm="WallyWorld" 184 ...where "WallyWorld" is the string assigned by the server to 185 identify the protection space. 187 A proxy can respond with a similar challenge using the 407 (Proxy 188 Authentication Required) status code ([RFC7235], Section 3.2) and the 189 Proxy-Authenticate header field ([RFC7235], Section 4.3). 191 To receive authorization, the client 193 1. obtains userid and password from the user, 194 2. constructs the user-pass by concatenating userid, a single colon 195 (":") character, and the password, 197 3. encodes the user-pass into an octet sequence (see below for a 198 discussion of character encoding schemes), 200 4. and obtains the basic-credentials by encoding this octet sequence 201 using base64 ([RFC4648], Section 4) into a sequence of US-ASCII 202 characters ([USASCII]). 204 The original definition of this authentication scheme failed to 205 specify the character encoding scheme used to convert the user-pass 206 into an octet sequence. In practice, most implementations chose 207 either a local-specific encoding such as ISO-8859-1 ([ISO-8859-1]), 208 or UTF-8 ([RFC3629]). For backwards compatibility reasons, this 209 specification continues to leave the default encoding undefined, as 210 long as it is compatible to US-ASCII (mapping any US-ASCII character 211 to a single octet matching the US-ASCII character code). 213 Userid and password MUST NOT contain any control characters (see 214 "CTL" in Appendix B.1 of [RFC5234]). 216 Furthermore, a userid containing a colon character is invalid, as 217 recipients will split the user-pass at the first occurence of a colon 218 character. Note that many user agents however will accept a colon in 219 userid, thereby producing a user-pass string that recipients will 220 likely treat in a way not intended by the user. 222 If the user agent wishes to send the userid "Aladdin" and password 223 "open sesame", it would use the following header field: 225 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== 227 2.1. The 'charset' auth-param 229 In challenges, servers can use the "charset" authentication parameter 230 to indicate the character encoding scheme they expect the user agent 231 to use when generating "user-pass" (a sequence of octets). This 232 information is purely advisory. 234 The only allowed value is "UTF-8", to be matched case-insensitively 235 (see [RFC2978], Section 2.3). It indicates that the server expects 236 character data to be converted to Unicode Normalization Form C 237 ("NFC", see Section 3 of [RFC5198]) and to be encoded into octets 238 using the UTF-8 character encoding scheme ([RFC3629]). 240 Other values are reserved for future use. 242 Note: The 'charset' is only defined on challenges, as "Basic" uses 243 a single token for credentials ('token68' syntax), thus the 244 credentials syntax isn't extensible. 246 Note: The name 'charset' has been chosen for consistency with 247 Section 2.1.1 of [RFC2831]. A better name would have been 248 'accept-charset', as it is not about the message it appears in, 249 but the server's expectation. 251 In the example below, the server prompts for authentication in the 252 "foo" realm, using Basic authentication, with a preference for the 253 UTF-8 character encoding scheme: 255 WWW-Authenticate: Basic realm="foo", charset="UTF-8" 257 Note that the parameter value can be either a token or a quoted 258 string; in this case the server chose to use the quoted-string 259 notation. 261 The user's name is "test", and the password is the string "123" 262 followed by the Unicode character U+00A3 (POUND SIGN). Using the 263 character encoding scheme UTF-8, the user-pass becomes: 265 't' 'e' 's' 't' ':' '1' '2' '3' pound 266 74 65 73 74 3A 31 32 33 C2 A3 268 Encoding this octet sequence in Base64 ([RFC4648], Section 4) yields: 270 dGVzdDoxMjPCow== 272 Thus the Authorization header field would be: 274 Authorization: Basic dGVzdDoxMjPCow== 276 Or, for proxy authentication: 278 Proxy-Authorization: Basic dGVzdDoxMjPCow== 280 2.2. Re-using Credentials 282 Given the absolute URI ([RFC3986], Section 4.3) of an authenticated 283 request, the authentication scope of that request is obtained by 284 removing all characters after the last slash ("/") character. A 285 client SHOULD assume that resources identified by URIs with a prefix- 286 match of the authentication scope are also within the protection 287 space specified by the realm value of the that authenticated request. 289 A client MAY preemptively send the corresponding Authorization header 290 field with requests for resources in that space without receipt of 291 another challenge from the server. Similarly, when a client sends a 292 request to a proxy, it may reuse a userid and password in the Proxy- 293 Authorization header field without receiving another challenge from 294 the proxy server. 296 For example, given an authenticated request to: 298 http://example.com/docs/index.html 300 ...requests to the URIs below could use the known credentials: 302 http://example.com/docs/ 303 http://example.com/docs/test.doc 304 http://example.com/docs/?page=1 306 ...while the URIs 308 http://example.com/other/ 309 https://example.com/docs/ 311 would be considered to be outside the authentication scope. 313 Note that a URI can be part of multiple authentication scopes (such 314 as "http://example.com/" and "http://example.com/docs/"). This 315 specification does not define which of these should be treated with 316 higher priority. 318 3. Internationalization Considerations 320 User names or passwords containing characters outside the US-ASCII 321 character repertoire will cause interoperability issues, unless both 322 communication partners agree on what character encoding scheme is to 323 be used. Senders can use the new 'charset' parameter (Section 2.1) 324 to indicate a preference of "UTF-8", increasing the probability that 325 clients will switch to that encoding. 327 The "realm" parameter carries data that can be considered textual, 328 however [RFC7235] does not define a way to reliably transport non-US- 329 ASCII characters. This is a known issue that would need to be 330 addressed in that specification. 332 4. Security Considerations 334 The Basic authentication scheme is not a secure method of user 335 authentication, nor does it in any way protect the entity, which is 336 transmitted in cleartext across the physical network used as the 337 carrier. HTTP does not prevent the addition of enhancements (such as 338 schemes to use one-time passwords) to Basic authentication. 340 The most serious flaw in Basic authentication is that it results in 341 the essentially cleartext transmission of the user's password over 342 the physical network. Many other authentication schemes address this 343 problem. 345 Because Basic authentication involves the cleartext transmission of 346 passwords it SHOULD NOT be used (without enhancements) to protect 347 sensitive or valuable information. 349 A common use of Basic authentication is for identification purposes 350 -- requiring the user to provide a user name and password as a means 351 of identification, for example, for purposes of gathering accurate 352 usage statistics on a server. When used in this way it is tempting 353 to think that there is no danger in its use if illicit access to the 354 protected documents is not a major concern. This is only correct if 355 the server issues both user name and password to the users and in 356 particular does not allow the user to choose his or her own password. 357 The danger arises because naive users frequently reuse a single 358 password to avoid the task of maintaining multiple passwords. 360 If a server permits users to select their own passwords, then the 361 threat is not only unauthorized access to documents on the server but 362 also unauthorized access to any other resources on other systems that 363 the user protects with the same password. Furthermore, in the 364 server's password database, many of the passwords may also be users' 365 passwords for other sites. The owner or administrator of such a 366 system could therefore expose all users of the system to the risk of 367 unauthorized access to all those sites if this information is not 368 maintained in a secure fashion. This raises both security and 369 privacy concerns ([RFC6973]). If the same username and password 370 combination is in use to access other accounts, such as an email or 371 health portal account, personal information could be exposed. 373 Basic Authentication is also vulnerable to spoofing by counterfeit 374 servers. If a user can be led to believe that he is connecting to a 375 host containing information protected by Basic authentication when, 376 in fact, he is connecting to a hostile server or gateway, then the 377 attacker can request a password, store it for later use, and feign an 378 error. This type of attack is not possible with Digest 379 Authentication. Server implementers SHOULD guard against the 380 possibility of this sort of counterfeiting by gateways or CGI 381 scripts. In particular it is very dangerous for a server to simply 382 turn over a connection to a gateway. That gateway can then use the 383 persistent connection mechanism to engage in multiple transactions 384 with the client while impersonating the original server in a way that 385 is not detectable by the client. 387 The use of the UTF-8 character encoding scheme introduces additional 388 security considerations; see Section 10 of [RFC3629] for more 389 information. 391 5. IANA Considerations 393 IANA maintains the registry of HTTP Authentication Schemes 394 ([RFC7235]) at . 396 The entry for the "Basic" Authentication Scheme shall be updated with 397 a pointer to this specification. 399 6. Acknowledgements 401 This specification takes over the definition of the "Basic" HTTP 402 Authentication Scheme, previously defined in RFC 2617. We thank John 403 Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. 404 Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for 405 their work on that specification, from which significant amounts of 406 text were borrowed. See Section 6 of [RFC2617] for further 407 acknowledgements. 409 The internationalization problem with respect to the character 410 encoding scheme used for user-pass has been reported as a Mozilla bug 411 back in the year 2000 (see 412 and also the 413 more recent ). 414 It was Andrew Clover's idea to address it using a new auth-param. 416 We also thank the members of the HTTPAuth Working Group, namely 417 Stephen Farrell, Bjoern Hoehrmann, Amos Jeffries, James Manger, 418 Kathleen Moriarty, Yaron Sheffer, Michael Sweet, and Martin Thomson 419 for feedback on this revision. 421 7. References 423 7.1. Normative References 425 [DIGEST] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP 426 Digest Access Authentication", 427 draft-ietf-httpauth-digest-08 (work in progress), 428 August 2014. 430 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 431 Requirement Levels", BCP 14, RFC 2119, March 1997. 433 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 434 Procedures", BCP 19, RFC 2978, October 2000. 436 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 437 10646", STD 63, RFC 3629, November 2003. 439 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, 440 "Uniform Resource Identifier (URI): Generic Syntax", 441 STD 66, RFC 3986, January 2005. 443 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 444 Encodings", RFC 4648, October 2006. 446 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for 447 Network Interchange", RFC 5198, March 2008. 449 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for 450 Syntax Specifications: ABNF", STD 68, RFC 5234, 451 January 2008. 453 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 454 Internationalization in the IETF", BCP 166, RFC 6365, 455 September 2011. 457 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext 458 Transfer Protocol (HTTP/1.1): Authentication", 459 RFC 7235, June 2014. 461 [USASCII] American National Standards Institute, "Coded Character 462 Set -- 7-bit American Standard Code for Information 463 Interchange", ANSI X3.4, 1986. 465 7.2. Informative References 467 [ISO-8859-1] International Organization for Standardization, 468 "Information technology -- 8-bit single-byte coded 469 graphic character sets -- Part 1: Latin alphabet No. 470 1", ISO/IEC 8859-1:1998, 1998. 472 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, 473 S., Leach, P., Luotonen, A., and L. Stewart, "HTTP 474 Authentication: Basic and Digest Access 475 Authentication", RFC 2617, June 1999. 477 [RFC2831] Leach, P. and C. Newman, "Using Digest Authentication 478 as a SASL Mechanism", RFC 2831, May 2000. 480 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer 481 Security (TLS) Protocol Version 1.2", RFC 5246, 482 August 2008. 484 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 485 Morris, J., Hansen, M., and R. Smith, "Privacy 486 Considerations for Internet Protocols", RFC 6973, 487 July 2013. 489 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext 490 Transfer Protocol (HTTP/1.1): Semantics and Content", 491 RFC 7231, June 2014. 493 Appendix A. Changes from RFC 2617 495 The scheme definition has been rewritten to be consistent with newer 496 specifications such as [RFC7235]. 498 The new authentication parameter "charset" has been added. It is 499 purely advisory, so existing implementations do not need to change, 500 unless they want to take advantage of the additional information 501 which previously wasn't available. 503 Appendix B. Deployment Considerations for the 'charset' Parameter 505 B.1. User Agents 507 User agents not implementing 'charset' will continue to work as 508 before, ignoring the new parameter. 510 User agents which already default to the UTF-8 encoding implement 511 'charset' by definition. 513 Other user agents can keep their default behavior, and switch to 514 UTF-8 when seeing the new parameter. 516 B.2. Origin Servers 518 Origin servers that do not support non-US-ASCII characters in 519 credentials do not require any changes to support 'charset'. 521 Origin servers that need to support non-US-ASCII characters, but 522 cannot use the UTF-8 character encoding scheme will not be affected; 523 they will continue to function as well or as badly as before. 525 Finally, origin servers that need to support non-US-ASCII characters 526 and can use the UTF-8 character encoding scheme can opt in as 527 described above. In the worst case, they'll continue to see either 528 broken credentials or no credentials at all (depending on how legacy 529 clients handle characters they can not encode). 531 B.3. Why not simply switch the default encoding to UTF-8? 533 There are sites in use today that default to a local character 534 encoding scheme, such as ISO-8859-1 ([ISO-8859-1]), and expect user 535 agents to use that encoding. Authentication on these sites will stop 536 to work if the user agent switches to a different encoding, such as 537 UTF-8. 539 Note that sites might even inspect the User-Agent header field 540 ([RFC7231], Section 5.5.3) to decide what character encoding scheme 541 to expect from the client. Therefore they might support UTF-8 for 542 some user agents, but default to something else for others. User 543 agents in the latter group will have to continue to do what they do 544 today until the majority of these servers have been upgraded to 545 always use UTF-8. 547 Appendix C. Change Log (to be removed by RFC Editor before publication) 549 C.1. Since RFC 2617 551 This draft acts as a baseline for tracking subsequent changes to the 552 specification. As such, it extracts the definition of "Basic", plus 553 the related Security Considerations, and also adds the IANA 554 registration of the scheme. Changes to the actual definition will be 555 made in subsequent drafts. 557 C.2. Since draft-ietf-httpauth-basicauth-update-00 559 Fixed Base64 reference to point to an actual definition of Base64. 561 Update HTTPbis and Digest references. 563 Note that this spec, together with HTTPbis P7 and the Digest update, 564 obsoletes RFC 2617. 566 Rewrote text about authentication parameters and their extensibility. 568 Pulled in the definition of the "charset" parameter. 570 Removed a misleading statement about userids potentially being case- 571 sensitive, as the same is true for passwords. 573 Added TODOs with respect to path matching, and colons in userids. 575 C.3. Since draft-ietf-httpauth-basicauth-update-01 577 Minor improvements on Security Considerations. 579 Update Digest reference. 581 Rewrite scheme definition as algorithm rather than pseudo-ABNF. 583 Add a note about colons in userid. 585 Attempt to explain authentication scopes. 587 Author's Address 589 Julian F. Reschke 590 greenbytes GmbH 591 Hafenweg 16 592 Muenster, NW 48155 593 Germany 595 EMail: julian.reschke@greenbytes.de 596 URI: http://greenbytes.de/tech/webdav/