IETF Logo Mail Archive

Re: [http-auth] Normalization forms in draft-ietf-httpauth-basicauth-enc

Paul Hoffman <paul.hoffman@vpnc.org> Sun, 30 June 2013 21:35 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F142721F9C65 for <http-auth@ietfa.amsl.com>; Sun, 30 Jun 2013 14:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORis7DE2hV-A for <http-auth@ietfa.amsl.com>; Sun, 30 Jun 2013 14:35:54 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 5410921F9C52 for <http-auth@ietf.org>; Sun, 30 Jun 2013 14:35:54 -0700 (PDT)
Received: from [10.20.30.90] (50-1-98-228.dsl.dynamic.sonic.net [50.1.98.228]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id r5ULZihm042950 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 30 Jun 2013 14:35:45 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <51D09F98.2070508@gmail.com>
Date: Sun, 30 Jun 2013 14:35:43 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <D434C8F9-D3DC-40EB-A25A-3A259C1A22E6@vpnc.org>
References: <20130630142838.31885.15315.idtracker@ietfa.amsl.com> <51D04326.5060600@gmx.de> <DEA2EA74-7587-4CAA-9424-4478B136308E@vpnc.org> <51D09F98.2070508@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: Julian Reschke <julian.reschke@gmx.de>, http-auth@ietf.org
Subject: Re: [http-auth] Normalization forms in draft-ietf-httpauth-basicauth-enc
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jun 2013 21:35:55 -0000

On Jun 30, 2013, at 2:14 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

> Paul, your proposed text doesn't make sense to me, because with Basic auth, the server might keep a hash of the password instead of the raw password (to reduce the damage if the entire database gets stolen). In which case I would expect the server to normalize the password before it is being hashed without any check of the "expected value".

The process that is checking for equivalence is not necessarily the process that stored the (possibly normalized) password, and the two processes might have different views of what normalization to use. Normalizing takes time. Thus, I would expect that the server would do a straight check first, and only fall back to one or more forms of string conversion (normalization, fixing of various i18n digit forms, removing points in Hebrew, etc.) if the first test failed.

This isn't to say that your assumption is wrong, but it is not the only one. Thus, my particularly wavy wording.

--Paul Hoffman

v2.39.1 | Report a Bug | By Email | System Status