Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
Julian Reschke <julian.reschke@gmx.de> Wed, 18 February 2015 22:27 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59E121A1B59; Wed, 18 Feb 2015 14:27:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUU_BF147dxo; Wed, 18 Feb 2015 14:27:17 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 782B21A1B56; Wed, 18 Feb 2015 14:27:17 -0800 (PST)
Received: from [192.168.2.175] ([93.217.116.45]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0M4nM5-1Xcq2J3nTh-00z2bY; Wed, 18 Feb 2015 23:27:15 +0100
Message-ID: <54E511BF.1070503@gmx.de>
Date: Wed, 18 Feb 2015 23:27:11 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Pete Resnick <presnick@qti.qualcomm.com>, The IESG <iesg@ietf.org>
References: <20150218214927.31074.15996.idtracker@ietfa.amsl.com>
In-Reply-To: <20150218214927.31074.15996.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:0SCswiJUmlOo//am8C7/0pctfacq3ePYrpnw1fNHIw/0dYF455M c/Ip+LNBPOzdN7vfZZbShBxlp31UUeZ637SlsTJAs6ptR+lr8xc0sqfws/USbpk49iEYNnJ BRks9XVn/aB7Kk8c0grQUCbgha+jhmvX7aWu/r1NH6DPq+0dxLM7W+FFWw3T3wuoyy/bCzX fJXm+iOENFeq6E3LgeEFA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/http-auth/gzpQYVZA6VV9a0x1WT8VLhf6u9c>
Cc: http-auth@ietf.org, draft-ietf-httpauth-basicauth-update.all@ietf.org, httpauth-chairs@ietf.org
Subject: Re: [http-auth] Pete Resnick's No Objection on draft-ietf-httpauth-basicauth-update-06: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 22:27:19 -0000
On 2015-02-18 22:49, Pete Resnick wrote: > ... > ----------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > 2: I'd at least like to hear an explanation about why this is > unreasonable (if it is): > > OLD > Furthermore, a user-id containing a colon character is invalid, as > recipients will split the user-pass at the first occurrence of a > colon character. Note that many user agents however will accept a > colon in user-id, thereby producing a user-pass string that > recipients will likely treat in a way not intended by the user. > NEW > Furthermore, a user-id MUST NOT contain a colon character, as > recipients will split the user-pass at the first occurrence of a > colon character. Many user agents will accept a colon in user-id, > but this produces a user-pass string that recipients will likely > treat in a way not intended by the user. > END > > MUST NOT means that not using a colon is required for interoperation. > Which is true. So I don't see why you don't come out and say that. > ... I just tested Firefox, Chrome, and IE. All of them accept colons in user ids and do exactly what the spec currently says. It seems pointless to me to say "MUST NOT" when it's widely implemented that way. In a new protocol I'd prefer and mandate "fail early", but this is not a new protocol. Best regards, Julian
- [http-auth] Pete Resnick's No Objection on draft-… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Bjoern Hoehrmann
- Re: [http-auth] Pete Resnick's No Objection on dr… Roy T. Fielding
- Re: [http-auth] Pete Resnick's No Objection on dr… Martin J. Dürst
- Re: [http-auth] Pete Resnick's No Objection on dr… Julian Reschke
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Pete Resnick
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty
- Re: [http-auth] Pete Resnick's No Objection on dr… Barry Leiba
- Re: [http-auth] Pete Resnick's No Objection on dr… Kathleen Moriarty