IETF Logo Mail Archive

Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)

Bjoern Hoehrmann <derhoermi@gmx.net> Thu, 19 February 2015 01:16 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797901A2130; Wed, 18 Feb 2015 17:16:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.14
X-Spam-Level:
X-Spam-Status: No, score=-1.14 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOzAceiW4sFa; Wed, 18 Feb 2015 17:16:12 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 773391A212A; Wed, 18 Feb 2015 17:16:12 -0800 (PST)
Received: from netb ([89.204.137.79]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MBZ9u-1YEsKe1mII-00AU3d; Thu, 19 Feb 2015 02:16:02 +0100
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Barry Leiba <barryleiba@computer.org>
Date: Thu, 19 Feb 2015 02:15:57 +0100
Message-ID: <dg9aea9kp9raqqukdloeqfnrfvl8cj26oq@hive.bjoern.hoehrmann.de>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com> <54E511BF.1070503@gmx.de> <54E51652.4050301@qti.qualcomm.com> <54E51843.1050307@greenbytes.de> <CALaySJJCzgkUNpONxFdv9-ZUD_Qxa_70rt+3g+U60Ctt80CMAg@mail.gmail.com>
In-Reply-To: <CALaySJJCzgkUNpONxFdv9-ZUD_Qxa_70rt+3g+U60Ctt80CMAg@mail.gmail.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:ikz6Ohb/nsf9S7gL85/F8zkgcXIwZCkR74QSTvX97CdFq+jhIVy HOsqOGDJJAPRBO+ebl5c+vaI7Y3nzCJFvM06F8kdDjKbujh4HxRfmRzqzA5m8deMDytQlL4 OWfZ839MXyN/8ZfmMD0TKUrHG63yl5O0ZCcGNuKIDCHzNs0s2V5tTIXb+yIP2hFgoTV7gh3 IHTadUqFMDW1OR0XVIzHA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/KMrKeUnmWkf38dDtlV1abKNpPeI>
Cc: Julian Reschke <julian.reschke@greenbytes.de>, Julian Reschke <julian.reschke@gmx.de>, Pete Resnick <presnick@qti.qualcomm.com>, httpauth-chairs@ietf.org, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-httpauth-basicauth-update.all@ietf.org
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 01:16:15 -0000

* Barry Leiba wrote:
>>> "MUST NOT" does not mean the Internet Police will come to take you away.
>>> "MUST NOT" means "this won't work".
>>
>> Ahem, no, that's not what "MUST NOT" means.
>
>It is, modulo rhetoric.  It's an interoperability requirement.  "You
>MUST NOT do <x>," means that if you do <x>, you will not interoperate
>-- something will break.  It seems to me that that's exactly the case
>here: If my username is "b:leiba", and a client sends "b:leiba:plugh",
>many servers will think the username is "b" and the password is
>"leiba:plugh".  That means that allowing ":" in the username breaks
>interoperability.  Whether or not it works sometimes, and whether or
>not implementations currently *do* this are irrelevant.  The point is
>that the right definition of the protocol is that you "MUST NOT have a
>colon character in the username."

So, a browser shows a user a prompt like

  Username: _______________
  Password: _______________

User enters Username $user and Password $pass and the browser sends

  Authorization: Basic base64(utf8_encode(concat($user, ':', $pass)))

And then the server interprets that as Username $u and Password $p.

A couple of scenarios:

  a) Browsers abort the process above if $user contains `:`

  b) Browsers abort the process above if $pass contains `:`

  c) `Authorization` headers does not conform to the draft if
     concat($user, ':', $pass) contains more than one colon

  d) $u != $user

  e) $p != $pass

As it is, the draft does not require a); b) would be non-compliant; c)
is false; d) and e) can happen without violating requirements of the
specification due to colons alone.

The text suggested by Pete Resnick restricts, in the model above, the
contents of `$user`, without clear implications for browsers or servers
or header field value validity. What is it actually that people want
here? Should browsers be required to check user input for colons? Is it
okay that the draft requires support for colons in passwords, but does
not require servers to interpret `b:leiba:plugh` as having a password of
`leiba:plugh`? Perhaps encoded `user:pass` strings in `Basic` headers
should be non-conforming if they contain more than one colon?
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email