IETF Logo Mail Archive

Re: [http-auth] UTF-8, usernames, passwords

Peter Saint-Andre - &yet <peter@andyet.net> Tue, 28 October 2014 01:05 UTC

Return-Path: <peter@andyet.net>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA9211A87EA for <http-auth@ietfa.amsl.com>; Mon, 27 Oct 2014 18:05:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8jsQO3lN0QE for <http-auth@ietfa.amsl.com>; Mon, 27 Oct 2014 18:05:20 -0700 (PDT)
Received: from mail-ie0-f169.google.com (mail-ie0-f169.google.com [209.85.223.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 163C31A87D1 for <http-auth@ietf.org>; Mon, 27 Oct 2014 18:05:19 -0700 (PDT)
Received: by mail-ie0-f169.google.com with SMTP id tr6so5601908ieb.14 for <http-auth@ietf.org>; Mon, 27 Oct 2014 18:05:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=8rDfty/75eb2yraKLbeB+z18Ktnc+11CRIxbR6a+k7A=; b=mlYlwW1Lfbfhy9pyEAexX0xojajWOq/0+d0Fw+/c8VA0dJ7LA4TCzZr8E5YTFONFGK /9Sx8Nd2acN6HC6WoPkAzD247MhQkNtG33lie2/+MENy5KQqn73Ve2C8xWeBBttbkTwv 95fWiJUTBSrQARDZHz6w7KI7wG+rwQ7mB9I7U50ncZYiFLyLts2zc4PsLZhRjN6n4GXn AUq/fv62NSXJ37o86fUnccEknUj/wKxFiMfIDM7aruCE1KaJprkthbJH9TvQpkGLZroY oOek5XBn6kQ6IlkKO9K20jhModbjTRT9RTXlOEUf3uSrYCFz44ueUGLbYvKMagXYR8lP nBDQ==
X-Gm-Message-State: ALoCoQkvtmTTR4/ooJnQNbl5fkDMfggZUlbcUFxfzJHogAej3aGVPhlMnU2BSPA1PIkL7Qrmh2oe
X-Received: by 10.107.7.203 with SMTP id g72mr179223ioi.91.1414458319234; Mon, 27 Oct 2014 18:05:19 -0700 (PDT)
Received: from aither.local (c-73-34-202-214.hsd1.co.comcast.net. [73.34.202.214]) by mx.google.com with ESMTPSA id j2sm30679ioj.6.2014.10.27.18.05.18 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 27 Oct 2014 18:05:18 -0700 (PDT)
Message-ID: <544EEB8A.7080903@andyet.net>
Date: Mon, 27 Oct 2014 19:04:10 -0600
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Yutaka OIWA <y.oiwa@aist.go.jp>
References: <544E6EDA.4060608@andyet.net> <CAMeZVwubv8XgX1nWzh-z7FFEyjzJapsKSkMS1LET=h7ua7OQzg@mail.gmail.com>
In-Reply-To: <CAMeZVwubv8XgX1nWzh-z7FFEyjzJapsKSkMS1LET=h7ua7OQzg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/vFk_v-sTAjaCmhrihdQZhokClFQ
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] UTF-8, usernames, passwords
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 01:05:22 -0000

On 10/27/14, 6:52 PM, Yutaka OIWA wrote:
> Dear all,
>
> As an author of another PRECIS draft for HTTP authentication
> (http://tools.ietf.org/html/draft-oiwa-precis-httpauthprep-00),
> I personally feel that limiting allowing characters to
> IdentifierClass is feasible and reasonable.
> It includes all "sensible IMO" characters for identifiers,
> is binary compatible with all printable ASCII characters,
> and is character-set compatible with ISO-8859-1 set.
> It will not exclude any printable characters which is currently
> officially allowed in the spec.
>
> We should allow any number of "ASCII SPACE" U+0020
> between printable characters for backward compatibility,

Actually that is allowed by the current rule in saslprepbis:

    username   = userpart [1*(1*SP userpart)]

> and should not forbid any printable ASCII characters
> (except some schema-dependent "forbidden-by-protocol"
> character like colon <:> in basic).
> I strongly believe we should forbid any control characters.
> In both Peter's and my proposals, SPACEs in the
> beginning and the tail of the string is not allowed,
> which can be a target to discuss.
>
> I'm currently trying to seek for possible merger of
> my proposal into saslprepbis, to reduce number of
> profiles to implement.

Yes, that is a good goal.

Peter

-- 
Peter Saint-Andre
https://andyet.com/

v2.23.0 | Report a Bug | By Email