Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
Julian Reschke <julian.reschke@greenbytes.de> Wed, 18 February 2015 22:55 UTC
Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 845B11A1B59; Wed, 18 Feb 2015 14:55:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.561
X-Spam-Level:
X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzBHwA-fRc5c; Wed, 18 Feb 2015 14:55:03 -0800 (PST)
Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A39261A1B91; Wed, 18 Feb 2015 14:55:03 -0800 (PST)
Received: from [192.168.2.175] (unknown [93.217.116.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id A641015A0237; Wed, 18 Feb 2015 23:55:01 +0100 (CET)
Message-ID: <54E51843.1050307@greenbytes.de>
Date: Wed, 18 Feb 2015 23:54:59 +0100
From: Julian Reschke <julian.reschke@greenbytes.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Pete Resnick <presnick@qti.qualcomm.com>, Julian Reschke <julian.reschke@gmx.de>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com> <54E511BF.1070503@gmx.de> <54E51652.4050301@qti.qualcomm.com>
In-Reply-To: <54E51652.4050301@qti.qualcomm.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/MCPENw8qjwa52V_hSwkX4ZUXB54>
Cc: http-auth@ietf.org, draft-ietf-httpauth-basicauth-update.all@ietf.org, The IESG <iesg@ietf.org>, httpauth-chairs@ietf.org
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 22:55:05 -0000
On 2015-02-18 23:46, Pete Resnick wrote: > On 2/18/15 4:27 PM, Julian Reschke wrote: > >>> Furthermore, a user-id containing a colon character is invalid, as >>> recipients will split the user-pass at the first occurrence of a >>> colon character. Note that many user agents however will accept a >>> colon in user-id, thereby producing a user-pass string that >>> recipients will likely treat in a way not intended by the user. >> >> I just tested Firefox, Chrome, and IE. All of them accept colons in >> user ids and do exactly what the spec currently says. > > You mean all of them simply take the user-id, add a colon, add the > password, and when the server gets it, the server interprets everything > before the first colon as the user-id and (almost always) fails? That is > to say, user-ids with colons simply don't work? That's what these UAs do. I don't know why they do it; perhaps it "works" (for some definition of "works") with some servers. >> It seems pointless to me to say "MUST NOT" when it's widely >> implemented that way. In a new protocol I'd prefer and mandate "fail >> early", but this is not a new protocol. > > I guess I'm lost on the distinction between: > > A user-id containing a colon does not work. I don't say "does not work", but "Note that many user agents however will accept a colon in user-id, thereby producing a user-pass string that recipients will likely treat in a way not intended by the user.". I think that's an accurate description of reality. > and > > A user-id containing a colon MUST NOT be used. > > They are semantically identical, AFAICT. > > "MUST NOT" does not mean the Internet Police will come to take you away. > "MUST NOT" means "this won't work". Ahem, no, that's not what "MUST NOT" means. Best regards, Julian
- [http-auth] Pete Resnick's No Objection on draft-… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Roy T. Fielding
- Re: [http-auth] Pete Resnick's No Objection on dr… Martin J. Dürst
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty