Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
Barry Leiba <barryleiba@computer.org> Wed, 18 February 2015 23:43 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC5CB1A1AF4; Wed, 18 Feb 2015 15:43:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wTIqWa4mGDX; Wed, 18 Feb 2015 15:43:04 -0800 (PST)
Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [209.85.215.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 729D51A0167; Wed, 18 Feb 2015 15:43:00 -0800 (PST)
Received: by lams18 with SMTP id s18so4567557lam.11; Wed, 18 Feb 2015 15:42:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ydHVUs8iYXW3lkJXqDo5r8PZ776K18x22zqOCK3fGoc=; b=BmZSIifFOHXSzcCaOy3mP2xAI3FkTpGNakCGYvx/1CQ+yx9wCcEGicWJoooIBCuEai 3u8X0QmdvgaHBSfsu5d2HrOCQSUgaZVhUB6NuU1A0jUpPevbzjbImyb3L0NcVJ7KU0Qk eBeLMP6Eycdk0bXVkkiIH+2x0kv616wdS984I1745Mcs2HFibIxon4tebUhrf2EroDAW JTkVWtrItFKcjBzN8ApR6hAWyGsL9J6kFjeFYXunbM/r18/At1FJKvUEioiajfS5uGZi NvTOUQ6rE71E48Kh/b6T4U9CsfioH/2vA0Qy6FFdNDTUqLVHDUVhje/nPO8v4pK4+FRE ncXQ==
MIME-Version: 1.0
X-Received: by 10.112.167.231 with SMTP id zr7mr1448217lbb.123.1424302979038; Wed, 18 Feb 2015 15:42:59 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.152.127.165 with HTTP; Wed, 18 Feb 2015 15:42:58 -0800 (PST)
In-Reply-To: <54E51843.1050307@greenbytes.de>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com> <54E511BF.1070503@gmx.de> <54E51652.4050301@qti.qualcomm.com> <54E51843.1050307@greenbytes.de>
Date: Wed, 18 Feb 2015 15:42:58 -0800
X-Google-Sender-Auth: kmJ1LCbrn5KgLAd4vnyAE3zU_SQ
Message-ID: <CALaySJJCzgkUNpONxFdv9-ZUD_Qxa_70rt+3g+U60Ctt80CMAg@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Julian Reschke <julian.reschke@greenbytes.de>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/4L8Hgd6ySIQmeM5B1UZUPZhxe80>
Cc: Julian Reschke <julian.reschke@gmx.de>, Pete Resnick <presnick@qti.qualcomm.com>, httpauth-chairs@ietf.org, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-httpauth-basicauth-update.all@ietf.org
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 23:43:05 -0000
>> "MUST NOT" does not mean the Internet Police will come to take you away. >> "MUST NOT" means "this won't work". > > Ahem, no, that's not what "MUST NOT" means. It is, modulo rhetoric. It's an interoperability requirement. "You MUST NOT do <x>," means that if you do <x>, you will not interoperate -- something will break. It seems to me that that's exactly the case here: If my username is "b:leiba", and a client sends "b:leiba:plugh", many servers will think the username is "b" and the password is "leiba:plugh". That means that allowing ":" in the username breaks interoperability. Whether or not it works sometimes, and whether or not implementations currently *do* this are irrelevant. The point is that the right definition of the protocol is that you "MUST NOT have a colon character in the username." Barry
- [http-auth] Pete Resnick's No Objection on draft-… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Roy T. Fielding
- Re: [http-auth] Pete Resnick's No Objection on dr… Martin J. Dürst
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty