IETF Logo Mail Archive

Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)

Pete Resnick <presnick@qti.qualcomm.com> Wed, 18 February 2015 22:46 UTC

Return-Path: <presnick@qti.qualcomm.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6201A1B77; Wed, 18 Feb 2015 14:46:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5043smjrasGa; Wed, 18 Feb 2015 14:46:46 -0800 (PST)
Received: from sabertooth02.qualcomm.com (sabertooth02.qualcomm.com [65.197.215.38]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AA921A1B60; Wed, 18 Feb 2015 14:46:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1424299606; x=1455835606; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=DfqDOCawDiXwWLDQ9PMFAY2P1KPoOkfI51CHXXe1ycc=; b=js8UgOQxQFc13+af9et8ifxdaj/m9CPL7B5KkndFP1FWMkPry4dwJT4u nNOwKtyFO5xG6m0/zx43QsllVGX5mmxzpteJegMgE3F2Qog6x6jQShuL4 9UxrOeCVLRiaRgzOXyNiF7lBFUMxgMnP5skuqtv0ud5lu0N8kNuShe5BC g=;
X-IronPort-AV: E=McAfee;i="5600,1067,7716"; a="84291650"
Received: from ironmsg03-l.qualcomm.com ([172.30.48.18]) by sabertooth02.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 18 Feb 2015 14:46:45 -0800
X-IronPort-AV: E=Sophos;i="5.09,604,1418112000"; d="scan'208";a="843477552"
Received: from nasanexm01f.na.qualcomm.com ([10.85.0.32]) by Ironmsg03-L.qualcomm.com with ESMTP/TLS/RC4-SHA; 18 Feb 2015 14:46:45 -0800
Received: from resnick2.qualcomm.com (10.80.80.8) by NASANEXM01F.na.qualcomm.com (10.85.0.32) with Microsoft SMTP Server (TLS) id 15.0.995.29; Wed, 18 Feb 2015 14:46:44 -0800
Message-ID: <54E51652.4050301@qti.qualcomm.com>
Date: Wed, 18 Feb 2015 16:46:42 -0600
From: Pete Resnick <presnick@qti.qualcomm.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.1.9) Gecko/20100630 Eudora/3.0.4
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com> <54E511BF.1070503@gmx.de>
In-Reply-To: <54E511BF.1070503@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: NASANEXM01C.na.qualcomm.com (10.85.0.83) To NASANEXM01F.na.qualcomm.com (10.85.0.32)
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/Js2wYIZlPzsS84PKVR1USjkEeBQ>
Cc: http-auth@ietf.org, draft-ietf-httpauth-basicauth-update.all@ietf.org, The IESG <iesg@ietf.org>, httpauth-chairs@ietf.org
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 22:46:48 -0000

On 2/18/15 4:27 PM, Julian Reschke wrote:

>>     Furthermore, a user-id containing a colon character is invalid, as
>>     recipients will split the user-pass at the first occurrence of a
>>     colon character.  Note that many user agents however will accept a
>>     colon in user-id, thereby producing a user-pass string that
>>     recipients will likely treat in a way not intended by the user.
>
> I just tested Firefox, Chrome, and IE. All of them accept colons in 
> user ids and do exactly what the spec currently says.

You mean all of them simply take the user-id, add a colon, add the 
password, and when the server gets it, the server interprets everything 
before the first colon as the user-id and (almost always) fails? That is 
to say, user-ids with colons simply don't work?

> It seems pointless to me to say "MUST NOT" when it's widely 
> implemented that way. In a new protocol I'd prefer and mandate "fail 
> early", but this is not a new protocol.

I guess I'm lost on the distinction between:

    A user-id containing a colon does not work.

and

    A user-id containing a colon MUST NOT be used.

They are semantically identical, AFAICT.

"MUST NOT" does not mean the Internet Police will come to take you away. 
"MUST NOT" means "this won't work".

pr

-- 
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478

v2.23.0 | Report a Bug | By Email