IETF Logo Mail Archive

Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)

Barry Leiba <barryleiba@computer.org> Thu, 19 February 2015 17:55 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40E5B1A1B84; Thu, 19 Feb 2015 09:55:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLep8UIOgNuO; Thu, 19 Feb 2015 09:55:40 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 072C31A1B19; Thu, 19 Feb 2015 09:55:39 -0800 (PST)
Received: by lbiw7 with SMTP id w7so1373729lbi.9; Thu, 19 Feb 2015 09:55:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=A1zkB+sg8pyane2neWKgtu5b28MPJEQxq1TFEEr7I8Q=; b=IhUNexKgPWFTFOd/Qb7YHXkUt3wcMN9Jb+XEgi6/MFMle9+a1BA1BEmX71weAlfLiE zT09uWDBa2kHERWXeQR7CtHBgFeSdsqqyqhhUWuX8IHN+VvuxzY0smspbXuS4Da26kMT 51dFiy/q0Zi+rNlRliJVlOLV5y/0J2pdm1F9S4mo4MgKYKDBBLK335mY9Qt/0GiMbEBH bSRevcUV64ZVDqO8sGWRQdjJ6fThttIQfGZXh06fukJqsIBI3UvieKeowxtkySGGZfo0 T03/cbQYH7MGMwki4IxoLlj4JYGRlUb5Esn5n/WIO+vJarrPdH6yRlHAa8M2Gxp+xNhD wrlQ==
MIME-Version: 1.0
X-Received: by 10.112.167.231 with SMTP id zr7mr4941824lbb.123.1424368537372; Thu, 19 Feb 2015 09:55:37 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.152.127.165 with HTTP; Thu, 19 Feb 2015 09:55:37 -0800 (PST)
In-Reply-To: <54E61331.7080807@greenbytes.de>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com> <54E511BF.1070503@gmx.de> <54E51652.4050301@qti.qualcomm.com> <54E51843.1050307@greenbytes.de> <CALaySJJCzgkUNpONxFdv9-ZUD_Qxa_70rt+3g+U60Ctt80CMAg@mail.gmail.com> <54E58D9C.5020207@gmx.de> <CAHbuEH7rf72Dx0QiLgEjPZ7vCDDinEYZE-E9yTvABfSii635Pg@mail.gmail.com> <54E61331.7080807@greenbytes.de>
Date: Thu, 19 Feb 2015 09:55:37 -0800
X-Google-Sender-Auth: rT3Sq7m-z8eDvcS-bcs2bLRj0Ko
Message-ID: <CALaySJ+SApT1dZE31mK+asAAwJqNVDPL97a6Nwn8gz0OeZhJ+w@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Julian Reschke <julian.reschke@greenbytes.de>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/6D5z0Z1P0GNVxEFGd943LZ55hZg>
Cc: Julian Reschke <julian.reschke@gmx.de>, Pete Resnick <presnick@qti.qualcomm.com>, httpauth-chairs@ietf.org, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-httpauth-basicauth-update.all@ietf.org
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 17:55:42 -0000

A final note form me on this, and then I'm done with the discussion:

> The problem here is the "long tail". We simply have no information about
> whether these IDs exist in practice. The fact that all UAs I checked indeed
> accept them at least *hints* that they might be used somewhere. Or none of
> the implementers ever thought about rejecting them.

I don't think this matters (but see below).  From the point of view of
protocol definition, it doesn't matter what's done; it matters what
works.  If userids with colons don't work when you send them on the
wire (because servers don't interpret the userid/password field as
intended), then the protocol definition should ban them, even if user
agents are, in fact sending them on the wire and will continue to.

But...

> The discussion that we're having is whether "MUST NOT use colons" is better
> or worse than "colons are invalid". I don't believe it makes a difference.

I have to admit that I don't either, and that's why I'm done with this
discussion.  I don't think that changing "X is invalid" to "MUST NOT
X" is important enough that it's worth further discussion, and I'm
happy to have that left as it is.  We might consider slightly altering
the text to make it clear that what we say is being done in practice
often does not work and is not interoperable (rather than the sort of
vague "will likely treat in a way not intended" text that's there
now).  Meh.  I'll leave that up to Julian and Pete to discuss.

Julian, thanks for the discussion.

Barry

v2.23.0 | Report a Bug | By Email