Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)

"Roy T. Fielding" <fielding@gbiv.com> Thu, 19 February 2015 23:13 UTC

Return-Path: <fielding@gbiv.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA751A1A27; Thu, 19 Feb 2015 15:13:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjmp8kSFZAFe; Thu, 19 Feb 2015 15:13:06 -0800 (PST)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 96E461A00E2; Thu, 19 Feb 2015 15:13:06 -0800 (PST)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 767C69405E; Thu, 19 Feb 2015 15:13:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=De908Y4L1m5lzlz5I6sJ/1n8C6U=; b=zaj6r6QpUW9P3LZkZSWwvIG6d7Pd C8QMvIft5ugJ0+IgqGpF19WP+7n/tFE0jDgWNgOZxlFD3efWNrqH72tXZGdBkCkK qxKaQXuztHK1XcdxL7qSvDHsDp8giL07Ui4AXQUMjfuXxUOASwn3MKT+L2PIh3Z6 tmeLm6DfmIFMsDY=
Received: from [192.168.1.12] (ip68-228-83-124.oc.oc.cox.net [68.228.83.124]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 461BA9405C; Thu, 19 Feb 2015 15:13:06 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="iso-8859-1"
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <1spceahm85je6hntfufprl183lam06bjgi@hive.bjoern.hoehrmann.de>
Date: Thu, 19 Feb 2015 15:12:50 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <9FFC8911-ADD5-41F5-BC9E-5E78BAEB53CE@gbiv.com>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com> <54E511BF.1070503@gmx.de> <54E51652.4050301@qti.qualcomm.com> <54E51843.1050307@greenbytes.de> <CALaySJJCzgkUNpONxFdv9-ZUD_Qxa_70rt+3g+U60Ctt80CMAg@mail.gmail.com> <54E58D9C.5020207@gmx.de> <CAHbuEH7rf72Dx0QiLgEjPZ7vCDDinEYZE-E9yTvABfSii635Pg@mail.gmail.com> <54E61331.7080807@greenbytes.de> <1goceat2c0sh1sifsuq6rv7u5bbth190vq@hive.bjoern.hoehrmann.de> <54E66703.50207@gmx.de> <1spceahm85je6hntfufprl183lam06bjgi@hive.bjoern.hoehrmann.de>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
X-Mailer: Apple Mail (2.1283)
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/60qaPdoxr9x5SF_CS913cJChLsw>
Cc: Julian Reschke <julian.reschke@gmx.de>, Pete Resnick <presnick@qti.qualcomm.com>, httpauth-chairs@ietf.org, "http-auth@ietf.org Auth" <http-auth@ietf.org>, The IESG <iesg@ietf.org>, Barry Leiba <barryleiba@computer.org>, draft-ietf-httpauth-basicauth-update.all@ietf.org
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 23:13:07 -0000

On Feb 19, 2015, at 3:07 PM, Bjoern Hoehrmann wrote:

> * Julian Reschke wrote:
>> On 2015-02-19 23:33, Bjoern Hoehrmann wrote:
>>> The current text is:
>>> 
>>>    Furthermore, a user-id containing a colon character is invalid, as
>>>    recipients will split the user-pass at the first occurrence of a
>>>    colon character.  Note that many user agents however will accept a
>>>    colon in user-id, thereby producing a user-pass string that
>>>    recipients will likely treat in a way not intended by the user.
>>> 
>>> So if the password contains a colon, and the draft requires support for
>>> that, then what? Are recipients REQUIRED to split the string at the 1st
>>> colon? If so, then I think the current text is not adequate. If not,
>>> then it seems wrong to require support for colons in passwords.
>> 
>> I think they are required to split on the first colon; why do you think 
>> the current text is inadequate?
> 
> It should be something like
> 
>  The first colon in a user-pass string separates username and password
>  from one another; text after the first colon is part of the password.
>  Usernames containing colons cannot be encoded in user-pass strings.
>  Note that many user agents produce user-pass strings without checking
>  that usernames supplied by users do not contain colons; recipients
>  will then treat part of the username input as part of the password.
> 
> This would actually define the correct interpretation of the first colon
> rather than hinting at what recipients will do, avoid the "will likely"
> speculation, and makes it more clear that colons in usernames are not an
> option offered by the protocol that then needs to be restricted by a
> MUST NOT for interoperability reasons, as far as I am concerned. It is
> also more clear that "user agents accept colons" is an UI issue; with
> the text in the draft `user-id` is used for both "string entered into
> username form field" and "value in Authorization header" which can be
> quite different due to colons.

+1  (FYI, Apache httpd does exactly that.)

....Roy