Re: [http-auth] Question regarding RFC 7617

Julian Reschke <julian.reschke@gmx.de> Wed, 07 March 2018 20:08 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15E34126B6D for <http-auth@ietfa.amsl.com>; Wed, 7 Mar 2018 12:08:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugnf3S4SUaZQ for <http-auth@ietfa.amsl.com>; Wed, 7 Mar 2018 12:08:41 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CDA5124234 for <http-auth@ietf.org>; Wed, 7 Mar 2018 12:08:41 -0800 (PST)
Received: from [192.168.178.20] ([93.217.65.25]) by mail.gmx.com (mrgmx103 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MWTSA-1f9bX52uVe-00XdCX; Wed, 07 Mar 2018 21:08:37 +0100
To: Enrico Bonato <enrico.bonato@vantea.com>, "http-auth@ietf.org" <http-auth@ietf.org>
References: <AM3PR07MB11569E88DECD42A21FC6B09E97D80@AM3PR07MB1156.eurprd07.prod.outlook.com>
From: Julian Reschke <julian.reschke@gmx.de>
Message-ID: <5a383cca-57ee-7474-62fb-225956af279a@gmx.de>
Date: Wed, 07 Mar 2018 21:08:39 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <AM3PR07MB11569E88DECD42A21FC6B09E97D80@AM3PR07MB1156.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:ikMPfrMbbtnR/rE/FJKbtD6veSoryAj9YmdTxP87CsMJnmywahW SKwLSsaAEfoaU6kXRw7lsQdnqeE8wwVMAYeFiXl4lKffGpYp3cspnZbieAjOlnLl/AzRt0q vdQ7mK0XnHLgZPbq5ySkdVieK1H7iSo4za5M5ArTs7KjWbdiKL04OwF1HAyvMxEE4b0QMrn Kr3CNW16nhIb8chXrLEfw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:0ZK5Ym77ip4=:gTUQ6lO5uR0O0KSQqS0NVh +2Z7ZHFEza47qh8GkjKE0V7TyAof7/7q0IAk28Rsxswf8qAdcIQNm2zb5gBufDScwfBlROfik 8js4S0d5q5o6t2vBzCiP10r0yhpU3P7hHyim8npvwrZ4Dv44oriWhmq1ABGtijOIKmLLfO3pb 8ke0j3VM9heBa8nwTCx4jVh1AxDekBscl/Gs0Z7iHksiWnuMBBlDe7i/YK2h7C3dWkoZvlbdS R4Oc718YuQsLi88V+vKfmTbdZylGOnppflcCMb7zB0ctvS2LaFgDBK07ZJ6LTGsJSnox9VxUx R6Oyj7cZdGwtmA3GDfAvfxc9eAfRXo/Fsw1tFbRU3THavhEezZF8cmVzAifIrueF9vcfM6eAQ Lh6LiGLdueJ7Dy+EoEvOnQPWAJIuYJ+QqV3O4ejoik1q5vPKwweqM2QU9VsDUvASRbbbC+iyT hUTfJQVRvJaLxEne+s6zwOGng2D0NCr9E6KAYXT4KvEWcSnU2r3I/E7oXEUdIls4vw9/wfU2e U54UE48yPTMs0LSvaNuud9iKGPEsGYCGUYRXOUkZxe4yyn0EnwSNBYyyRiqokTWQG30+Upczg YhTkpu7nXO5BfESoaw8uZ3qHIBXv8a2oXwfVkd/GDzE+ysedqxU8qRixx5fnLL3gnfrrWXcdW 3OyvlvlHpH1Z0Hhb57fRfc2wRxbt6UG3soSgNFQyHNmE0MP6wf4cNQOgNqJlFqKLhDrZ/nOXz gOngfTAjqXF28gUpUIkfzLhTTgX92AzJPXrnZaw7q8ikP5yOBQ1B+qFzUJLbsBTTeAjDGParR T7xsdmJw+OKQLc8DI5et/eRItmbvwrcYPHJTpPp7/TET3+rneg=
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/Uf9wBiwyfPtPv9Gjko0cOVnCv7k>
Subject: Re: [http-auth] Question regarding RFC 7617
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 20:08:43 -0000

On 2018-03-07 12:01, Enrico Bonato wrote:
> Greetings
> the proposed standard in the Subject marks usernames containing ":" as invalid.
> Quoting section 2:
> 
> "Furthermore, a user-id containing a colon character is invalid, as
>     the first colon in a user-pass string separates user-id and password
>     from one another"
> 
> This is totally understandable, but limits interoperability with systems (e.g. LDAP's DNs - rfc2253) which allows such character.
> 
> What if a username contains (one or more) colon characters already? Shouldn't this character be escapable as "special" character?
> ...

Yes, it should have been. But this wasn't considered when Basic auth was 
defined initially, and there was no simply way to retrofit this into the 
protocol many years later...

Best regards, Julian