Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)

Julian Reschke <julian.reschke@gmx.de> Fri, 20 February 2015 14:16 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C3B51A879A; Fri, 20 Feb 2015 06:16:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FaCXQlaSFPEV; Fri, 20 Feb 2015 06:16:02 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCABB1A8759; Fri, 20 Feb 2015 06:16:01 -0800 (PST)
Received: from [192.168.1.26] ([217.91.35.233]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0LmbZb-1XovWR3oBf-00aBuC; Fri, 20 Feb 2015 15:15:57 +0100
Message-ID: <54E74195.7010503@gmx.de>
Date: Fri, 20 Feb 2015 15:15:49 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Bjoern Hoehrmann <derhoermi@gmx.net>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com> <54E511BF.1070503@gmx.de> <54E51652.4050301@qti.qualcomm.com> <54E51843.1050307@greenbytes.de> <CALaySJJCzgkUNpONxFdv9-ZUD_Qxa_70rt+3g+U60Ctt80CMAg@mail.gmail.com> <54E58D9C.5020207@gmx.de> <CAHbuEH7rf72Dx0QiLgEjPZ7vCDDinEYZE-E9yTvABfSii635Pg@mail.gmail.com> <54E61331.7080807@greenbytes.de> <1goceat2c0sh1sifsuq6rv7u5bbth190vq@hive.bjoern.hoehrmann.de> <54E66703.50207@gmx.de> <1spceahm85je6hntfufprl183lam06bjgi@hive.bjoern.hoehrmann.de> <9FFC8911-ADD5-41F5-BC9E-5E78BAEB53CE@gbiv.com>
In-Reply-To: <9FFC8911-ADD5-41F5-BC9E-5E78BAEB53CE@gbiv.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:KM7+voKM8hXuYcmGMPs4PgK+Jbd2uBpxpZVNewydo5lcKCkbYAH 59Il8lTnyHQ9DvLwLDrTohh0dTS9eWFwz2Mg3ZcjGlqVrZ4EF6ezusnnXaYzOW2sgjnJ5W8 9tjZPw1nxMSWq8d/KXq+ukW69kPEIJn7XJzYk8CjnH0dwf2MdGJ+0WLn9eHZPQWNMkOKeR9 jc3YFyFl3G9572ZTq5BAQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/_kH9rCRYAu_QkGa36HTxko55fxg>
Cc: httpauth-chairs@ietf.org, "http-auth@ietf.org" <http-auth@ietf.org>, The IESG <iesg@ietf.org>, Barry Leiba <barryleiba@computer.org>, draft-ietf-httpauth-basicauth-update.all@ietf.org, Pete Resnick <presnick@qti.qualcomm.com>
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 14:16:04 -0000

On 2015-02-20 00:12, Roy T. Fielding wrote:
> ...
>> It should be something like
>>
>>   The first colon in a user-pass string separates username and password
>>   from one another; text after the first colon is part of the password.
>>   Usernames containing colons cannot be encoded in user-pass strings.
>>   Note that many user agents produce user-pass strings without checking
>>   that usernames supplied by users do not contain colons; recipients
>>   will then treat part of the username input as part of the password.
>>
>> This would actually define the correct interpretation of the first colon
>> rather than hinting at what recipients will do, avoid the "will likely"
>> speculation, and makes it more clear that colons in usernames are not an
>> option offered by the protocol that then needs to be restricted by a
>> MUST NOT for interoperability reasons, as far as I am concerned. It is
>> also more clear that "user agents accept colons" is an UI issue; with
>> the text in the draft `user-id` is used for both "string entered into
>> username form field" and "value in Authorization header" which can be
>> quite different due to colons.
>
> +1  (FYI, Apache httpd does exactly that.)
>
> ....Roy
>
> ...

I changed the text to:

>    Furthermore, a user-id containing a colon character is invalid, as
>    the first colon in a user-pass string separates user-id and password
>    from one another; text after the first colon is part of the password.
>    User-ids containing colons cannot be encoded in user-pass strings.
>
>    Note that many user agents produce user-pass strings without checking
>    that user-ids supplied by users do not contain colons; recipients
>    will then treat part of the username input as part of the password.

in <http://trac.tools.ietf.org/wg/httpauth/trac/changeset/128>.

Pete, Barry, does this sound good to you?

Best regards, Julian