IETF Logo Mail Archive

Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 19 February 2015 16:20 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1553F1A19F8; Thu, 19 Feb 2015 08:20:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGNttRC5_gAm; Thu, 19 Feb 2015 08:20:09 -0800 (PST)
Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com [IPv6:2a00:1450:4010:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79C6A1A8833; Thu, 19 Feb 2015 08:20:09 -0800 (PST)
Received: by labhz20 with SMTP id hz20so630778lab.0; Thu, 19 Feb 2015 08:20:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cyF3II3LWQiVH02rLbscCRTIcJd2jPnhPWETIyiEPZk=; b=aA+nS0TlZB43NKv2sQOSoPPv+ymiTGrS0jd4AQjUdJFExUIWlnztKhPXiQhCA2V0v3 9z0IyFSeYGU3/aYsTbmGM8R/6A8ItOK6rXfqk6SSIXcbYLB9Qb6Tqqx0YoFDYgtijpX7 fXCIFfbLIeo5s8DgYlhJAL2q9XLtDnZuDaS4/vK14z9ezln2zpnVIOAUtHrQQlV3GFDX 0evcKuRJGk5sWVuSUp1nE0Ch/OedMldFWrqMuk3e2TFo7+3Ytk7aT958uEvDFMfFZKqr yGqc5sULRElDjtG0JqHWxPBkuM0e5BcfYF+Kp0Vqw9cN7LggVvRF99iuZCYQ/bMRrpHP 9Plg==
MIME-Version: 1.0
X-Received: by 10.152.36.138 with SMTP id q10mr4477334laj.113.1424362807905; Thu, 19 Feb 2015 08:20:07 -0800 (PST)
Received: by 10.112.167.101 with HTTP; Thu, 19 Feb 2015 08:20:07 -0800 (PST)
In-Reply-To: <54E58D9C.5020207@gmx.de>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com> <54E511BF.1070503@gmx.de> <54E51652.4050301@qti.qualcomm.com> <54E51843.1050307@greenbytes.de> <CALaySJJCzgkUNpONxFdv9-ZUD_Qxa_70rt+3g+U60Ctt80CMAg@mail.gmail.com> <54E58D9C.5020207@gmx.de>
Date: Thu, 19 Feb 2015 11:20:07 -0500
Message-ID: <CAHbuEH7rf72Dx0QiLgEjPZ7vCDDinEYZE-E9yTvABfSii635Pg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: multipart/alternative; boundary="089e0160b922325190050f734f4e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/OhuEnf7kENCOUhWRdpT3zE08nUQ>
Cc: Julian Reschke <julian.reschke@greenbytes.de>, Pete Resnick <presnick@qti.qualcomm.com>, httpauth-chairs@ietf.org, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>, Barry Leiba <barryleiba@computer.org>, draft-ietf-httpauth-basicauth-update.all@ietf.org
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 16:20:12 -0000

Hi,

On Thu, Feb 19, 2015 at 2:15 AM, Julian Reschke <julian.reschke@gmx.de>
wrote:

> On 2015-02-19 00:42, Barry Leiba wrote:
>
>> "MUST NOT" does not mean the Internet Police will come to take you away.
>>>> "MUST NOT" means "this won't work".
>>>>
>>>
>>> Ahem, no, that's not what "MUST NOT" means.
>>>
>>
>> It is, modulo rhetoric.  It's an interoperability requirement.  "You
>> MUST NOT do <x>," means that if you do <x>, you will not interoperate
>> -- something will break.  It seems to me that that's exactly the case
>> here: If my username is "b:leiba", and a client sends "b:leiba:plugh",
>> many servers will think the username is "b" and the password is
>> "leiba:plugh".  That means that allowing ":" in the username breaks
>> interoperability.  Whether or not it works sometimes, and whether or
>>
>
> Allowing colons in usernames when usernames are assigned is a problem. We
> already say these names are invalid.
>
> Requiring UAs to reject them is an entirely different story. If a user id
> *did* contain the colon, and did "work" for some UA A and server B,
> implementing the "MUST NOT" in the UA would remove the user's ability to
> log on to the web site. That's a bigger failure.


Pete and Barry are making the point that text in this draft can help clear
this issue up going forward.  If a user id contained a colon, the user
would need a new id if user agents decided this should not work.  Since
browsers do support this now, there must be some instances where this
occurred to change their behavior, moving away from standard specifications
to allow this, is that true?  I haven't seen user ids with :s in them, but
that could just be me being unaware of this practice.

I'm not reading this discussion as resolved yet.

Thanks,
Kathleen

>
>
>  not implementations currently *do* this are irrelevant.  The point is
>> that the right definition of the protocol is that you "MUST NOT have a
>> colon character in the username."
>>
>
> They are invalid, and we already say that.
>
> Best regards, Julian
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email