[http-auth] Fwd: [precis] usernames in PRECIS and http-auth
Peter Saint-Andre <stpeter@stpeter.im> Sat, 08 March 2014 14:50 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C4941A0268 for <http-auth@ietfa.amsl.com>; Sat, 8 Mar 2014 06:50:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B7bctF26j8-2 for <http-auth@ietfa.amsl.com>; Sat, 8 Mar 2014 06:50:11 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 846C31A0267 for <http-auth@ietf.org>; Sat, 8 Mar 2014 06:50:11 -0800 (PST)
Received: from aither.local (unknown [24.8.184.175]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 0272A4045D; Sat, 8 Mar 2014 07:50:06 -0700 (MST)
Message-ID: <531B2E1E.8000207@stpeter.im>
Date: Sat, 08 Mar 2014 07:50:06 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "http-auth@ietf.org" <http-auth@ietf.org>
References: <531A09C7.7070904@stpeter.im>
In-Reply-To: <531A09C7.7070904@stpeter.im>
X-Forwarded-Message-Id: <531A09C7.7070904@stpeter.im>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/8RymW7gpLL90gY_AknhQinS4Q8c
Subject: [http-auth] Fwd: [precis] usernames in PRECIS and http-auth
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 14:50:13 -0000
FYI. Please discuss on the precis@ietf.org list. -------- Original Message -------- Subject: [precis] usernames in PRECIS and http-auth Date: Fri, 07 Mar 2014 11:02:47 -0700 From: Peter Saint-Andre <stpeter@stpeter.im> To: precis@ietf.org <precis@ietf.org> As promised at IETF 89, I have compared the username definitions from draft-oiwa-precis-httpauthprep-00 and draft-ietf-precis-saslprepbis-06, with the purpose of perhaps harmonizing the two approaches so that we can avoid multiplying PRECIS profiles beyond necessity. (I am writing this email on the flight home, and I neglected to load up the meeting minutes before leaving, so I might not address all of the relevant points in this message.) First, let's look at the syntax definitions. draft-ietf-precis-saslprepbis-06 states that a username can (a) consist of one of more userparts, or (b) can be of the form userpart@domainpart. The ABNF definition is: username = userpart [1*(1*SP userpart)] / userpart ’@’ domainpart userpart = 1*(idpoint) domainpart = IP-literal / IPv4address / ifqdn ifqdn = 1*1023(domainpoint) Where: * an "idpoint" is a UTF-8 encoded Unicode code point that conforms to the PRECIS "IdentifierClass" * an "IPv4address" is as defined in RFC 3986 * an "IP-literal" is as defined in RFC 3986 * a "domainpoint" is a UTF-8 encoded Unicode code point that conforms to RFC 5890 By contrast, draft-oiwa-precis-httpauthprep states that a username consists of one or more UTF-8 encoded Unicode code points that conform to the PRECIS "IdentifierClass". The ABNF definition is: userpart = 1*(idpoint) We quickly see that an http-auth username is a legal PRECIS username, since 1*(idpoint) is simply a userpart as defined in draft-ietf-precis-saslprepbis-06, and a PRECIS username can consist of only one userpart. Therefore, in this respect, I think the httpauthprep text (whether it appears in a standalone document or elsewhere) can simply state that for purposes of HTTP authentication a username is a userpart as defined in draft-ietf-precis-saslprepbis. Second, let's look at the string preparation method. Here, too, draft-oiwa-precis-httpauthprep-00 is a subset of draft-ietf-precis-saslprepbis-06. The preparation method in draft-ietf-precis-saslprepbis-06 is: 1. The base string class is the "IdentifierClass" specified in [I-D.ietf-precis-framework]. 2. Fullwidth and halfwidth characters MUST be mapped to their decomposition equivalents. 3. So-called additional mappings MAY be applied, such as those defined in [I-D.ietf-precis-mappings]. 4. Uppercase and titlecase characters might be mapped to their lowercase equivalents (see Section 4.2.1 below). 5. Unicode Normalization Form C (NFC) MUST be applied to all characters. By contrast, the preparation method in draft-oiwa-precis-httpauthprep-00 is: 1. Fullwidth and halfwidth characters MUST be mapped to their decomposition equivalents. 2. Additional mappings SHOULD NOT be applied, such as those defined in [I-D.ietf-precis-mappings], unless there are implementation- dependent reasons to do so, or these are exceptionally required by specific authentication schemes. 3. Case mapping is not applied. 4. Unicode Normalization Form C (NFC) MUST be applied to all characters.o These two defnitions agree on the width mapping and normalization rules described in the PRECIS framework. They appear to differ slightly with regard to the additional mapping and case mapping rules. However, draft-oiwa-precis-httpauthprep-00 is merely a bit more restrictive with regard to matters that are purely optional according to draft-ietf-precis-saslprepbis-06. For example, the option of saying that "case mapping is not applied" is allowed by the text "uppercase and titlecase characters might be mapped to their lowercase equivalents". To make this clearer, I suggest that we modify the advice in draft-oiwa-precis-httpauthprep-00 so that it no longer defines its own PRECIS profile. Instead, I suggest that we phrase the httpauthprep text in terms of the username profile in draft-ietf-precis-saslprepbis-06. To my mind, something like this would work: ### For the purposes of HTTP authentication, a username conforms to the syntax definition and preparation methods specified in [I.D-draft-ietf-precis-saslprepbis], with the following limitations: * a username conforms to the "userpart" construction from [I-D.draft-ietf-precis-saslprepbis] * case mapping is not applied * delimiter mappings, special mappings, and other so-called additional mappings [I-D.draft-ietf-precis-mappings] are not applied ### As far as I can see, this simplifies the httpautheprep text quite a bit. (By the way, draft-oiwa-precis-httpauthprep-00 also seems to copy the password profile verbatim from draft-ietf-precis-saslprepbis. I think this text can be removed entirely, so that the httpauthprep text can simply reference draft-ietf-precis-saslprepbis.) Yutaka and Alexey (and others), let me know what you think about what I have written here. Thanks, Peter _______________________________________________ precis mailing list precis@ietf.org https://www.ietf.org/mailman/listinfo/precis
- [http-auth] Fwd: [precis] usernames in PRECIS and… Peter Saint-Andre