IETF Logo Mail Archive

Re: [http-auth] Unicode normalization, was: Draft Minutes Posted for IETF 87 HTTP-AUTH Session

Yutaka OIWA <y.oiwa@aist.go.jp> Wed, 05 February 2014 09:15 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23661A00B2 for <http-auth@ietfa.amsl.com>; Wed, 5 Feb 2014 01:15:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZJTtqXxHezC for <http-auth@ietfa.amsl.com>; Wed, 5 Feb 2014 01:15:13 -0800 (PST)
Received: from na3sys010aog101.obsmtp.com (na3sys010aog101.obsmtp.com [74.125.245.70]) by ietfa.amsl.com (Postfix) with ESMTP id 2C7601A00B0 for <http-auth@ietf.org>; Wed, 5 Feb 2014 01:15:13 -0800 (PST)
Received: from mail-vb0-f45.google.com ([209.85.212.45]) (using TLSv1) by na3sys010aob101.postini.com ([74.125.244.12]) with SMTP ID DSNKUvIBILCtcnjjdnQMr1eqXMnwA4xaOA8C@postini.com; Wed, 05 Feb 2014 01:15:12 PST
Received: by mail-vb0-f45.google.com with SMTP id m10so78868vbh.18 for <http-auth@ietf.org>; Wed, 05 Feb 2014 01:15:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=ApOr162ZL8aV5qnYGIQKPiBLDr8YNwZe+KIINGGJuss=; b=acccS9KcrIIOlDxk93luhNUY+0BAwDpSI6BGSQM6byu7znkHJoc+lMXz77N45xRtWJ VIf2FXpjdxkR/o47AZpIEHyEtw8lEHoaXR18u+PuOZjV6LATq9w+mSpYLViYtzFIZ2qp JbR1OMercLG9uFonNqZIiBgoOLzwLkFk0TPgU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ApOr162ZL8aV5qnYGIQKPiBLDr8YNwZe+KIINGGJuss=; b=Uh33MVPFQuuGSoIary5YYEzpsPfLAZLY7cLSW6UVYaS035RYRe5YLpMQgXZq4Ec+Ks VUJcJwNmZYbusqoZQvxEAlG179vAzaFft7TbHKs/elcVxMO7lT4JC/WKU92frso7aARp W+iPWBMDSQG8gy6OZNB5cRMQaLkgJgApQUaHdzvFci3lBtzDsHatvupyHTiiLpGctuHK LWRvVuIG/hQNxp2E/C8levAcoKjyYs84GMUw9xmruntThW4HyiKKhTAqAr9T/DgYR1IV Jn55ODEaxhEGaf1vbPd/QIaWFRPJue2G1mOEsJ56IDKfIhMtN9bEtZ9UFcJhx0+/gfw5 M9HQ==
X-Gm-Message-State: ALoCoQmgPi9N0sxHVySuufuDWW6x0o7zaoow35ZBrz5Q20p5i0JvRwbatiiERL5b9S3pTm5xUODqzYIjmcYx8HC8NyRRy1MzRKI2VBoZFxsEYYt1gQUk9UA4eOADIjxYEaGQO0/pFahL6GhDJauSToB4/UyYl3tw6Q==
X-Received: by 10.58.181.230 with SMTP id dz6mr143898vec.35.1391591711936; Wed, 05 Feb 2014 01:15:11 -0800 (PST)
X-Received: by 10.58.181.230 with SMTP id dz6mr143887vec.35.1391591711818; Wed, 05 Feb 2014 01:15:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.100.227 with HTTP; Wed, 5 Feb 2014 01:14:51 -0800 (PST)
In-Reply-To: <52F0518C.9060506@stpeter.im>
References: <CANTg3aCDGf1CjDfkqLDZmMRk7BhH+sGRLwwZnt7GYAo87Bqkcg@mail.gmail.com> <523198DD.8010903@gmx.de> <524FD569.9020103@gmx.de> <52EFCA1F.5070609@gmx.de> <CAMeZVwunZcqd0iAic9wkKn+gk7+-t9L5_1NzHHauMh8qag_13w@mail.gmail.com> <52F0518C.9060506@stpeter.im>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Wed, 05 Feb 2014 18:14:51 +0900
Message-ID: <CAMeZVwvnT3GVWGsGD5Cp3j4NupWEtA+yKmcDyVBAaWCE24j_kg@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Julian Reschke <julian.reschke@gmx.de>, "http-auth@ietf.org" <http-auth@ietf.org>, precis@ietf.org
Subject: Re: [http-auth] Unicode normalization, was: Draft Minutes Posted for IETF 87 HTTP-AUTH Session
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 09:15:16 -0000

Thank you very much for making our next steps very clear.


I'll do my best to improve our proposal.

2014-02-04 Peter Saint-Andre <stpeter@stpeter.im>:
> Yes, I think it is best to define a separate profile for HTTPAUTH (based on
> various conversations at the last IETF meeting). I will try to review your
> document again very soon.
>
> Peter
>
>
> On 2/3/14, 5:18 PM, Yutaka OIWA wrote:
>>
>> Dear Julian and Peter (added),
>>
>> how about the things ongoing about handling of
>> HTTP-AUTH normalization in context of PRECIS?
>>
>> I proposed general-purpose HTTP-AUTH normalization
>> profile to PRECIS WG (just because I need it :-),
>> and they considered merging it with new SASLPREPbis.
>> My current draft is
>> http://tools.ietf.org/html/draft-oiwa-precis-httpauthprep-00 .
>> SASLPREPbis is in WG pool as
>> http://tools.ietf.org/html/draft-ietf-precis-saslprepbis-06 .
>>
>> I am awaiting actions for whether the merging
>> will actually happen or not.
>> In my understanding, removing of SASL-dependent
>> natures (e.g. that in Username grammer) from current
>> saslprepbis is not going forward yet, and current
>> SASLPREPbis is, at least personally, not applicable
>> for any HTTP auth schemes except SASL-backed ones.
>> For clarify, SASLPREPbis is really good, and the differences
>> are not large but critical.
>>
>> I think there is several possible directions for us to go:
>>
>> 1) Go merging: push forward to make saslprepbis a
>>      general-purpose precis profile by separating
>>      still-remaining SASL-only features.
>>      IMO, in this case we may need two separate
>>      application notes documents for SASL and HTTP-AUTH.
>>
>> 2) Go separate: discuss HTTPAUTH in context of
>>      PRECIS separately from SASLPREP.
>>      I believe that my draft will give us a good starting point,
>>      as my best effort.
>>
>> 3) for Julian, one possible best current cheating, if you
>>      can't wait PRECIS WG, might be just specify NFC as a
>>      canonical form.  Both SASLPREP and HTTPAUTHprep
>>      (and many other PRECIS profiles) are NFC based,
>>      so it will not likely harm future development of proper
>>      PRECIS-based "preparation" (including normalization).
>>
>> Also, I would be happy if Julian (as talked in Vancouver)
>> and other people in HTTPAUTH WG and PRECIS WG
>> could give us a feedback on my proposal from the
>> both WG's points of view.
>>
>> 2014-02-04 Julian Reschke <julian.reschke@gmx.de>:
>>>
>>> On 2013-10-05 11:01, Julian Reschke wrote:
>>>>
>>>>
>>>> On 2013-09-12 12:35, Julian Reschke wrote:
>>>>>
>>>>>
>>>>> On 2013-08-21 21:22, Matthew Lepinski wrote:
>>>>>>
>>>>>>
>>>>>> Draft minutes for the HTTP-AUTH session have been posted.
>>>>>>
>>>>>> They can be found at:
>>>>>> http://www.ietf.org/proceedings/87/minutes/minutes-87-httpauth
>>>>>>
>>>>>> If you notice any omissions or other errors in the minutes, please let
>>>>>> us know.
>>>>>> ...
>>>>>
>>>>>
>>>>>
>>>>> OK, the minutes mention:
>>>>>
>>>>> "Unicode Normalization : Getting from what is typed in to Unicode code
>>>>> points will require discussion"
>>>>>
>>>>> So how do we proceed from here? Any concrete proposals for what to say?
>>>>
>>>>
>>>>
>>>> It seems we don't know what to say then, right?
>>>>
>>>> How about: "Beware that differing Unicode normalization forms can cause
>>>> interoperability problems. See [http://unicode.org/reports/tr15/]."?
>>>>
>>>>
>>>> Best regards, Julian
>>>
>>>
>>>
>>> So, does anybody have a good plan how to approach the normalization
>>> problem?
>>>
>>> Otherwise we'll just have to state that there are dragons out there, and
>>> that we don't know the solution...
>>>
>>>
>>> Best regards, Julian
>>>
>>> _______________________________________________
>>> http-auth mailing list
>>> http-auth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/http-auth
>>
>>
>>
>>
>
>
> --
> Peter Saint-Andre
> https://stpeter.im/



-- 
Yutaka OIWA, Ph.D.                 Leader, System Life-cycle Research Group
                               Research Institute for Secure Systems (RISEC)
     National Institute of Advanced Industrial Science and Technology (AIST)
                       Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

v2.23.0 | Report a Bug | By Email