IETF Logo Mail Archive

Re: [http-auth] Unicode normalization, was: Draft Minutes Posted for IETF 87 HTTP-AUTH Session

Yutaka OIWA <y.oiwa@aist.go.jp> Tue, 04 February 2014 00:18 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45A0E1A02BA for <http-auth@ietfa.amsl.com>; Mon, 3 Feb 2014 16:18:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0yQ9Qw-6STKt for <http-auth@ietfa.amsl.com>; Mon, 3 Feb 2014 16:18:36 -0800 (PST)
Received: from na3sys010aog102.obsmtp.com (na3sys010aog102.obsmtp.com [74.125.245.72]) by ietfa.amsl.com (Postfix) with ESMTP id DDF931A02A0 for <http-auth@ietf.org>; Mon, 3 Feb 2014 16:18:35 -0800 (PST)
Received: from mail-ve0-f170.google.com ([209.85.128.170]) (using TLSv1) by na3sys010aob102.postini.com ([74.125.244.12]) with SMTP ID DSNKUvAx2+AXXNjMXy1K0eLsLX8yzlWb9kcE@postini.com; Mon, 03 Feb 2014 16:18:36 PST
Received: by mail-ve0-f170.google.com with SMTP id cz12so5519514veb.15 for <http-auth@ietf.org>; Mon, 03 Feb 2014 16:18:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=fqwaK3F6W1EAaOeN7KfsH1QiM0CJliyYpJuPM/soF8g=; b=b6kB6n/x17YQFm7MD49ROnW13yXSm01sO7c2M8Rel8m1uq4q60vy6UdUaLLUPpoNfa lge7vbhg3cph4puQlxOhPee421hDF966gp/h0GQn235E+3rze26n7QJMR0LYdVo9L8qi YYaIYZV8SharrXmrCg2p8rTnSEL3j62O3xGQo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=fqwaK3F6W1EAaOeN7KfsH1QiM0CJliyYpJuPM/soF8g=; b=Wcxqp4WMvRtb4uduhBnDypni3poNYS7WYPlPU6wOzmZEuDLBdUVOb4RKxpZh42n+lp A+450977ZGQNw+G+RTgh8bWay3d4+X0enTdDdO3nJ3cl9jZMETgFCFQfnJAcd8fAW/LZ imYgaFheWfD9ysNCOns73e/hlrVrFclLCNyYJjaOKeXppghOwTKVXnid+8Wft1tf3aMm i/QSdmWoZC/H7m4IG5RemjucxYMsK6SIPfIl0hG2BiRKd9zHD0Qs7+jbxquvnt2fcmW2 VVsHNrWNUSj9cxB59rxZeXeZ8teOdahkL98CtWHXWt2nKnUVVClnvulBHqd6E/FOBThu yEuQ==
X-Gm-Message-State: ALoCoQkFTP0smipUCEi6P65T6dh4bVM0xNBh+g3axzwJCoPbde+E808PXUr/Azf4l7NdO0bWAe+3loHjUcjhl1rldaVFcCLSydxZ6/Hi9qob2H0sN5OESiLOPaGSa4s/Nj+mg3MxITM+uK5oAXKJ4d0nysL3b7nVAQ==
X-Received: by 10.52.117.115 with SMTP id kd19mr25494575vdb.15.1391473115199; Mon, 03 Feb 2014 16:18:35 -0800 (PST)
X-Received: by 10.52.117.115 with SMTP id kd19mr25494568vdb.15.1391473115098; Mon, 03 Feb 2014 16:18:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.100.227 with HTTP; Mon, 3 Feb 2014 16:18:14 -0800 (PST)
In-Reply-To: <52EFCA1F.5070609@gmx.de>
References: <CANTg3aCDGf1CjDfkqLDZmMRk7BhH+sGRLwwZnt7GYAo87Bqkcg@mail.gmail.com> <523198DD.8010903@gmx.de> <524FD569.9020103@gmx.de> <52EFCA1F.5070609@gmx.de>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 04 Feb 2014 09:18:14 +0900
Message-ID: <CAMeZVwunZcqd0iAic9wkKn+gk7+-t9L5_1NzHHauMh8qag_13w@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>, Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, precis@ietf.org
Subject: Re: [http-auth] Unicode normalization, was: Draft Minutes Posted for IETF 87 HTTP-AUTH Session
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 00:18:38 -0000

Dear Julian and Peter (added),

how about the things ongoing about handling of
HTTP-AUTH normalization in context of PRECIS?

I proposed general-purpose HTTP-AUTH normalization
profile to PRECIS WG (just because I need it :-),
and they considered merging it with new SASLPREPbis.
My current draft is
http://tools.ietf.org/html/draft-oiwa-precis-httpauthprep-00 .
SASLPREPbis is in WG pool as
http://tools.ietf.org/html/draft-ietf-precis-saslprepbis-06 .

I am awaiting actions for whether the merging
will actually happen or not.
In my understanding, removing of SASL-dependent
natures (e.g. that in Username grammer) from current
saslprepbis is not going forward yet, and current
SASLPREPbis is, at least personally, not applicable
for any HTTP auth schemes except SASL-backed ones.
For clarify, SASLPREPbis is really good, and the differences
are not large but critical.

I think there is several possible directions for us to go:

1) Go merging: push forward to make saslprepbis a
    general-purpose precis profile by separating
    still-remaining SASL-only features.
    IMO, in this case we may need two separate
    application notes documents for SASL and HTTP-AUTH.

2) Go separate: discuss HTTPAUTH in context of
    PRECIS separately from SASLPREP.
    I believe that my draft will give us a good starting point,
    as my best effort.

3) for Julian, one possible best current cheating, if you
    can't wait PRECIS WG, might be just specify NFC as a
    canonical form.  Both SASLPREP and HTTPAUTHprep
    (and many other PRECIS profiles) are NFC based,
    so it will not likely harm future development of proper
    PRECIS-based "preparation" (including normalization).

Also, I would be happy if Julian (as talked in Vancouver)
and other people in HTTPAUTH WG and PRECIS WG
could give us a feedback on my proposal from the
both WG's points of view.

2014-02-04 Julian Reschke <julian.reschke@gmx.de>:
> On 2013-10-05 11:01, Julian Reschke wrote:
>>
>> On 2013-09-12 12:35, Julian Reschke wrote:
>>>
>>> On 2013-08-21 21:22, Matthew Lepinski wrote:
>>>>
>>>> Draft minutes for the HTTP-AUTH session have been posted.
>>>>
>>>> They can be found at:
>>>> http://www.ietf.org/proceedings/87/minutes/minutes-87-httpauth
>>>>
>>>> If you notice any omissions or other errors in the minutes, please let
>>>> us know.
>>>> ...
>>>
>>>
>>> OK, the minutes mention:
>>>
>>> "Unicode Normalization : Getting from what is typed in to Unicode code
>>> points will require discussion"
>>>
>>> So how do we proceed from here? Any concrete proposals for what to say?
>>
>>
>> It seems we don't know what to say then, right?
>>
>> How about: "Beware that differing Unicode normalization forms can cause
>> interoperability problems. See [http://unicode.org/reports/tr15/]."?
>>
>>
>> Best regards, Julian
>
>
> So, does anybody have a good plan how to approach the normalization problem?
>
> Otherwise we'll just have to state that there are dragons out there, and
> that we don't know the solution...
>
>
> Best regards, Julian
>
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth



-- 
Yutaka OIWA, Ph.D.                 Leader, System Life-cycle Research Group
                               Research Institute for Secure Systems (RISEC)
     National Institute of Advanced Industrial Science and Technology (AIST)
                       Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

v2.23.0 | Report a Bug | By Email