IETF Logo Mail Archive

Re: [http-auth] UTF-8, usernames, passwords

Yutaka OIWA <y.oiwa@aist.go.jp> Tue, 28 October 2014 06:17 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42CFC1A005A for <http-auth@ietfa.amsl.com>; Mon, 27 Oct 2014 23:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DXYe5OpbYPKj for <http-auth@ietfa.amsl.com>; Mon, 27 Oct 2014 23:17:27 -0700 (PDT)
Received: from na3sys010aog102.obsmtp.com (na3sys010aog102.obsmtp.com [74.125.245.72]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81E4D1A010F for <http-auth@ietf.org>; Mon, 27 Oct 2014 23:17:26 -0700 (PDT)
Received: from mail-vc0-f172.google.com ([209.85.220.172]) (using TLSv1) by na3sys010aob102.postini.com ([74.125.244.12]) with SMTP ID DSNKVE809K+sNJ5ofgOXZqqkKVuTRJcFMmqE@postini.com; Mon, 27 Oct 2014 23:17:26 PDT
Received: by mail-vc0-f172.google.com with SMTP id lf12so3201023vcb.31 for <http-auth@ietf.org>; Mon, 27 Oct 2014 23:17:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=2ApKHoIQAjLTvP59WpqK0YwHRz/Lqzl0+tOQwGGa/EY=; b=jw680ixco5wkNjfe5Eu8GYTA/RnnVwKck/h1l4/QUA9UBWyW/+K4T9bdv7PS/nA/PC fmSiLpOomfiu4pXrwlRYSfPwO22aACkSDL5sjnIyr+YEau8mCvoAm2SDvcvZKM/cGVuq YVrKBD9NvaF13Yxz8jmwMiU+CUjdaEUsRT89k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=2ApKHoIQAjLTvP59WpqK0YwHRz/Lqzl0+tOQwGGa/EY=; b=I+CSEhBhG1gOrIGqIOZHmVKuS0gCtm4wV9GE/lB7hj98bxab0itP0JfwOvFfUnHkkF kS3kWldOz1eylrn52O13IVKbfX1lEJD0jr45Z0qDM0LMo/URZMpTiBnxr/0ZPHa5Eo9x WtV/nnQvNKm8T1cwJx51JbXQMg2c0RThibSCrv0PVjSJS6opndRb6LB/+En7YHGmUxyt OSj/jhJ4o2FcB/Jf7SLh54SusIfSFEiAXDM3Qm+E/rgrZ13p/vN6O3TlWYfgF15O1No0 hbNz2mXrkJJa18lwMc04f3b3H3jd200nvYjMcZxe/Tqv8bbha9PdXiV77jqxxP0JxcbY qa0g==
X-Gm-Message-State: ALoCoQn3vp206GGKs3Q9mmGExQaKTt3kxbNgQXaseemJW7jUKBuJs5xdLGLmQJEf+q0K2oyhuE7xvVoVASCAGl+Gv2Hifo+7tk6F4hNM5RzPVwTmqJWz3bXeToPkEWl3Wgc9T6TEJA0eQADdgDdFetuEJDF5/qnvng==
X-Received: by 10.52.120.50 with SMTP id kz18mr768522vdb.20.1414477043989; Mon, 27 Oct 2014 23:17:23 -0700 (PDT)
X-Received: by 10.52.120.50 with SMTP id kz18mr768513vdb.20.1414477043839; Mon, 27 Oct 2014 23:17:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.134.70 with HTTP; Mon, 27 Oct 2014 23:17:03 -0700 (PDT)
In-Reply-To: <544EEB8A.7080903@andyet.net>
References: <544E6EDA.4060608@andyet.net> <CAMeZVwubv8XgX1nWzh-z7FFEyjzJapsKSkMS1LET=h7ua7OQzg@mail.gmail.com> <544EEB8A.7080903@andyet.net>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 28 Oct 2014 15:17:03 +0900
Message-ID: <CAMeZVws2i1tg1gkxx+e7jmau5Tm2SL=XsBu=8S4FsRb8XzDdqw@mail.gmail.com>
To: Peter Saint-Andre - &yet <peter@andyet.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/RTT_yJm8yS-bTlmf2d5zZ9XjCtc
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] UTF-8, usernames, passwords
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 06:17:30 -0000

> Actually that is allowed by the current rule in saslprepbis:

>   username   = userpart [1*(1*SP userpart)]


Yes.  I intended that two profile specs are consistent on this.

Sorry for possible confusions, and thank you for clarification.



2014-10-28 10:04 GMT+09:00 Peter Saint-Andre - &yet <peter@andyet.net>:
> On 10/27/14, 6:52 PM, Yutaka OIWA wrote:
>>
>> Dear all,
>>
>> As an author of another PRECIS draft for HTTP authentication
>> (http://tools.ietf.org/html/draft-oiwa-precis-httpauthprep-00),
>> I personally feel that limiting allowing characters to
>> IdentifierClass is feasible and reasonable.
>> It includes all "sensible IMO" characters for identifiers,
>> is binary compatible with all printable ASCII characters,
>> and is character-set compatible with ISO-8859-1 set.
>> It will not exclude any printable characters which is currently
>> officially allowed in the spec.
>>
>> We should allow any number of "ASCII SPACE" U+0020
>> between printable characters for backward compatibility,
>
>
> Actually that is allowed by the current rule in saslprepbis:
>
>    username   = userpart [1*(1*SP userpart)]
>
>> and should not forbid any printable ASCII characters
>> (except some schema-dependent "forbidden-by-protocol"
>> character like colon <:> in basic).
>> I strongly believe we should forbid any control characters.
>> In both Peter's and my proposals, SPACEs in the
>> beginning and the tail of the string is not allowed,
>> which can be a target to discuss.
>>
>> I'm currently trying to seek for possible merger of
>> my proposal into saslprepbis, to reduce number of
>> profiles to implement.
>
>
> Yes, that is a good goal.
>
>
> Peter
>
> --
> Peter Saint-Andre
> https://andyet.com/

v2.23.0 | Report a Bug | By Email