On 2015-02-06 07:43, Julian Reschke wrote:
...
There should be an example for "no other authentication parameters are
defined -- unknown parameters MUST be ignored by recipients", otherwise
such extension points are too easily missed by implementers.
<http://greenbytes.de/tech/tc/httpauth/#simplebasicnewparam2> shows that
UAs seem to get at least this correct. I'll think about it.
OK. In my tests I don't see anybody getting *that* wrong, and the new
text already is much clearer than RFC 2617 ever was.
Thus I don't think we need an example here. Also note that the real
challenge (pun intended) is to parse multiple challenges properly; this
is something many UAs *do* get wrong despite the prose in both RFC 2617
and RFC 7235.
Best regards, Julian