Re: [http-auth] UTF-8, usernames, passwords
Yutaka OIWA <y.oiwa@aist.go.jp> Tue, 28 October 2014 00:53 UTC
Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DE811A1BA5 for <http-auth@ietfa.amsl.com>; Mon, 27 Oct 2014 17:53:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.679
X-Spam-Level:
X-Spam-Status: No, score=-5.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubI-eKcJ9q8H for <http-auth@ietfa.amsl.com>; Mon, 27 Oct 2014 17:53:16 -0700 (PDT)
Received: from na3sys010aog110.obsmtp.com (na3sys010aog110.obsmtp.com [74.125.245.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 558BF1A1B3F for <http-auth@ietf.org>; Mon, 27 Oct 2014 17:53:16 -0700 (PDT)
Received: from mail-vc0-f178.google.com ([209.85.220.178]) (using TLSv1) by na3sys010aob110.postini.com ([74.125.244.12]) with SMTP ID DSNKVE7o+5a+SbnUPXgp2frgZ5gJRyyQTz6Y@postini.com; Mon, 27 Oct 2014 17:53:16 PDT
Received: by mail-vc0-f178.google.com with SMTP id hq12so3031720vcb.37 for <http-auth@ietf.org>; Mon, 27 Oct 2014 17:53:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=X0QIOKtueTOTCBh2Dk/GSK5clg7Y5W3Hvvx/qqiAs+4=; b=OW1ymMgolFfulvA+I58GBmRdcun4i9qG0zxXBiu768B0H/OECzeMxfrNACJXv3R0Y/ 3vFzThB8CAB6SpSe1QhNrtx7x/nUYtPJQbb/KufHIrpO/Aq038cvUQNAlwxJhAW+yNhF BlJOqhzXTGgVdf4/OYV8hifYitXH4dTizR+F4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=X0QIOKtueTOTCBh2Dk/GSK5clg7Y5W3Hvvx/qqiAs+4=; b=B3XKWwlTkiW7q2tQLv/1Qlb5/0IflmFBX1qI8jAAclVUhWw3rB6nny1fZ6lMiSQrbj kCdDvAK34dAvztEvdCsqjIjWFeWBCSnOVbbO4OgCuqfMwfb4h9S14onsMo6oaNu1toed JnEySRf1uMzfLfOW/4zJJlEhQ1n0i1p0qUTpcrYDQAjW0GyEmGmpmBKGFb8wr/aZrsJY IPICIo6iZKbl/hnTEJ6C+2VxcOMAOEfhKShrss1yLG5qS8jFD7DFu8v6entsQLqf0zAA LZUeVEfDbGsZ4rieKDF5zDyNKwUBSz2UDIXyPJUpBUDiEBRvaBR7UV+yhf4pbcpPnrOl d/zg==
X-Gm-Message-State: ALoCoQm4CqlDStr+SW87d3165hnfo/QfvFpyGqgu2fummjL1rQ6g7hjnoTH2h6yH53FDtDyol8S6DGul8uVSYFsahFHFZ+KUPQerwFEs/tSGQVdZD3UE2oXa5MVamInl6QHK//8GkD81vQOUtf3LNUVWChjNbYrJLg==
X-Received: by 10.220.181.71 with SMTP id bx7mr4343vcb.80.1414457595279; Mon, 27 Oct 2014 17:53:15 -0700 (PDT)
X-Received: by 10.220.181.71 with SMTP id bx7mr4338vcb.80.1414457595177; Mon, 27 Oct 2014 17:53:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.134.70 with HTTP; Mon, 27 Oct 2014 17:52:54 -0700 (PDT)
In-Reply-To: <544E6EDA.4060608@andyet.net>
References: <544E6EDA.4060608@andyet.net>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 28 Oct 2014 09:52:54 +0900
Message-ID: <CAMeZVwubv8XgX1nWzh-z7FFEyjzJapsKSkMS1LET=h7ua7OQzg@mail.gmail.com>
To: Peter Saint-Andre - &yet <peter@andyet.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/Kl4Wiz93BSI_2cMFCSM61_IqS_Q
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] UTF-8, usernames, passwords
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 00:53:18 -0000
Dear all, As an author of another PRECIS draft for HTTP authentication (http://tools.ietf.org/html/draft-oiwa-precis-httpauthprep-00), I personally feel that limiting allowing characters to IdentifierClass is feasible and reasonable. It includes all "sensible IMO" characters for identifiers, is binary compatible with all printable ASCII characters, and is character-set compatible with ISO-8859-1 set. It will not exclude any printable characters which is currently officially allowed in the spec. We should allow any number of "ASCII SPACE" U+0020 between printable characters for backward compatibility, and should not forbid any printable ASCII characters (except some schema-dependent "forbidden-by-protocol" character like colon <:> in basic). I strongly believe we should forbid any control characters. In both Peter's and my proposals, SPACEs in the beginning and the tail of the string is not allowed, which can be a target to discuss. I'm currently trying to seek for possible merger of my proposal into saslprepbis, to reduce number of profiles to implement. -- Yutaka OIWA, Ph.D. Senior Researcher, Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] 2014-10-28 1:12 GMT+09:00 Peter Saint-Andre - &yet <peter@andyet.net>: > Over in the PRECIS working group, we've been trying to harmonize the > username and password definitions from "saslprepbis" (which is intended to > apply to more than just SASL) with the updated spec for basic auth: > > http://datatracker.ietf.org/doc/draft-ietf-precis-saslprepbis/ > http://datatracker.ietf.org/doc/draft-ietf-httpauth-basicauth-update/ > > See for instance this thread: > > http://www.ietf.org/mail-archive/web/precis/current/msg00705.html > http://www.ietf.org/mail-archive/web/precis/current/msg00704.html > http://www.ietf.org/mail-archive/web/precis/current/msg00861.html > http://www.ietf.org/mail-archive/web/precis/current/msg00869.html > > Although we've gotten closer to harmony and I've been working to adjust > draft-ietf-precis-saslprepbis as needed, we're not there yet. > > USERNAMES > > UTF-8: both saslprepbis and basicauth specify UTF-8 (for basicauth, when the > new 'charset' parameter is used) > > Unicode normalization: NFC > > Width mapping: not specified in basicauth, whereas saslprepbis specifies > that fullwidth and halfwidth characters MUST be mapped to their > decomposition mappings (is this something that basicauth might specify?) > > The major gap appears to be the allowable characters: > > - saslprepbis limits username characters to those allowed by the PRECIS > IdentifierClass, essentially letters and digits and ASCII7 characters, along > with single space characters separating parts of a string. > > - basicauth might (at least based on what I understand) allow a wider range > of characters, such as multiple spaces in a row or even symbols outside the > ASCII7 range (see discussion thread above for examples) > > As to the space issue, we might be able to work around this by defining an > application-layer construct in basicauth that reuses the "userpart" rule > from saslprepbis. > > However, for allowable characters if we want to allow basically any > character in basicauth usernames then in PRECIS terms we'd need to make a > profile of the FreeformClass, not the IdentifierClass. IMHO that would be > less than ideal and likely violate the principle of least user astonishment > ("why does this username work for the web but not email?"). > > PASSWORDS > > Here saslprepbis and basicauth are closer together. In fact the only gaps > might be: > > - width mapping: saslprepbis says MUST NOT perform width mapping, whereas > basicauth doesn't say anything about that > > - spaces: in SASLprep and also saslprepbis, non-ASCII spaces are mapped to > ASCII space, whereas basicauth doesn't say anything about that > > For both usernames and passwords in basicauth, we might want to say > something about bidi characters. > > Is there a way that we can come to agreement on these issues? Do we perhaps > need time at the next IETF meeting, or a conf call of some kind, to make > progress? > > Peter > > -- > Peter Saint-Andre > https://andyet.com/ > > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth
- [http-auth] UTF-8, usernames, passwords Peter Saint-Andre - &yet
- Re: [http-auth] UTF-8, usernames, passwords Yutaka OIWA
- Re: [http-auth] UTF-8, usernames, passwords Peter Saint-Andre - &yet
- Re: [http-auth] UTF-8, usernames, passwords Yutaka OIWA
- Re: [http-auth] UTF-8, usernames, passwords Julian Reschke
- Re: [http-auth] UTF-8, usernames, passwords Peter Saint-Andre - &yet
- Re: [http-auth] UTF-8, usernames, passwords Julian Reschke
- Re: [http-auth] UTF-8, usernames, passwords Peter Saint-Andre - &yet
- Re: [http-auth] UTF-8, usernames, passwords Julian Reschke
- Re: [http-auth] UTF-8, usernames, passwords Peter Saint-Andre - &yet
- Re: [http-auth] UTF-8, usernames, passwords Michael Sweet
- Re: [http-auth] UTF-8, usernames, passwords Peter Saint-Andre - &yet
- Re: [http-auth] UTF-8, usernames, passwords Yutaka OIWA
- Re: [http-auth] UTF-8, usernames, passwords Yutaka OIWA
- Re: [http-auth] UTF-8, usernames, passwords Julian Reschke
- Re: [http-auth] UTF-8, usernames, passwords Julian Reschke
- Re: [http-auth] UTF-8, usernames, passwords Yutaka OIWA
- Re: [http-auth] UTF-8, usernames, passwords Yutaka OIWA
- Re: [http-auth] UTF-8, usernames, passwords Yutaka OIWA
- Re: [http-auth] UTF-8, usernames, passwords Peter Saint-Andre - &yet
- Re: [http-auth] UTF-8, usernames, passwords Julian Reschke
- Re: [http-auth] UTF-8, usernames, passwords Martin J. Dürst
- Re: [http-auth] UTF-8, usernames, passwords Peter Saint-Andre - &yet