IETF Logo Mail Archive

Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt

Michael Sweet <msweet@apple.com> Wed, 03 December 2014 17:12 UTC

Return-Path: <msweet@apple.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F20D1A700A for <http-auth@ietfa.amsl.com>; Wed, 3 Dec 2014 09:12:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VyiBFxyiI8-2 for <http-auth@ietfa.amsl.com>; Wed, 3 Dec 2014 09:12:51 -0800 (PST)
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 189FE1A6F87 for <http-auth@ietf.org>; Wed, 3 Dec 2014 09:12:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1417626766; x=2281540366; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=kVu6NzH4YYjqHJIiexbIt9j9RB0AIlMoLD0Ts+noa80=; b=AhvUpBtKmVMkNH0ifhKPO7De9BvvjcSElH79dgPMICxP7XPltC/pvB9us5kpzx44 keij5Hr6sQjVJQaWTiGu8pzCW/V1pZFqur1Whu+P6byT4rbIufzdblECb429gvLX YLNE6RkAn+ct4gXSmT7m1hFTyijjfHdoCtb+FrPR5CV0uUHUSCASkpyBeETb+cC+ kcdAtP+2UKgSOpIsnd/5yfz6te1GUfq7sDuwniRVVfVPjQjSPEsbFtzLsBsnOST6 1RuroxEyvyLO6ctX7G9PRP0gu5lkFSgunzDuATR20yq2MYPndvn78d0dVoZqDom/ nPbPqj5nJPGajdB1Fm9QIQ==;
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 7D.CA.18976.E844F745; Wed, 3 Dec 2014 09:12:46 -0800 (PST)
X-AuditID: 11973e11-f79a66d000004a20-cc-547f448e12e3
Received: from cardamom.apple.com (cardamom.apple.com [17.128.115.94]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay6.apple.com (Apple SCV relay) with SMTP id 0E.7D.05775.A744F745; Wed, 3 Dec 2014 09:12:26 -0800 (PST)
Received: from [17.153.21.172] by cardamom.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NG00003WNSXCN70@cardamom.apple.com> for http-auth@ietf.org; Wed, 03 Dec 2014 09:12:46 -0800 (PST)
MIME-version: 1.0 (Mac OS X Mail 8.1 \(1993\))
Content-type: multipart/signed; boundary="Apple-Mail=_F26AEC32-E6CB-4E2C-BD0A-0FADE3BD74EB"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Michael Sweet <msweet@apple.com>
In-reply-to: <547F3958.4020005@gmx.de>
Date: Wed, 03 Dec 2014 12:12:31 -0500
Message-id: <1EB23215-FEFE-48D1-B634-04E6485A899F@apple.com>
References: <20141202111608.27803.85751.idtracker@ietfa.amsl.com> <60D2DF51-5CD9-4A55-8031-4F974C0F8DF9@gmail.com> <61D95DD7-42F3-4483-8C72-E29C16180C56@apple.com> <547F3958.4020005@gmx.de>
To: Julian Reschke <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.1993)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrJLMWRmVeSWpSXmKPExsUi2FAYpdvnUh9isPubpsWH/XOYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVsev3MpaCL6EVp5ueMDUw9vh1MXJwSAiYSDzpCO5i5AQyxSQu 3FvP1sXIxSEksJdR4umKFnaIhInEiQPTmCESE5kkHnW8YoVw/jBKvPl6mRmkSlggSeL8jItg Nq+AnkTTk8dMIEXMAlMYJd6eXgyWYBNQk/g9qY8VxOYEsS9+ArNZBFQlLi+5zghiMwu4Syxt uMgCMchG4udXiEFCAgcZJeZvnQyWEBHQkrh9by8jxH2yEv8unmEHKZIQWMIm8XfdA7YJjEKz kFwyC9kls8C2aEssW/gayjaQeNr5ihXCNpV48nY7G4RtLfFzziNGCFtRYkr3Q/YFjOyrGIVy EzNzdDPzjPQSCwpyUvWS83M3MYLiYrqd4A7G46usDjEKcDAq8fA+iK4LEWJNLCuuzD3EKM3B oiTOu18RKCSQnliSmp2aWpBaFF9UmpNafIiRiYNTqoGxWfNUaf0p/d+Rq7qX9u3tLeoNmWx0 P+DqkarausCDPbvthb4bTOqa53v5aq5crel97XUnzDY6zv80p7DG9n6JM1vA4y+X9n/lCd8w TeYIw9PV9qr2K1hTpm6tC8ica52SUaQSsFVAUH53wFOnY609niyzJiw8oK/wgPHhthsNBpv1 X2jE6e5TYinOSDTUYi4qTgQAvXeOvGwCAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrJLMWRmVeSWpSXmKPExsUi2FAcp1vlUh9i8OYBh8WH/XOYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVsev3MpaCL6EVp5ueMDUw9vh1MXJySAiYSJw4MI0ZwhaTuHBv PVsXIxeHkMBEJolHHa9YIZw/jBJvvl4GqxIWSJI4P+MimM0roCfR9OQxE0gRs8AURom3pxeD JdgE1CR+T+pjBbE5QeyLn8BsFgFVictLrjOC2MwC7hJLGy6yQAyykfj5FWKQkMBBRon5WyeD JUQEtCRu39vLCHGfrMS/i2fYJzDyz0KyfBay5bPABmtLLFv4Gso2kHja+YoVwjaVePJ2OxuE bS3xc84jRghbUWJK90P2BYzsqxgFilJzEivN9BILCnJS9ZLzczcxggO5MGoHY8Nyq0OMAhyM Sjy8D6LrQoRYE8uKK3MPMaoAjXi0YfUFRimWvPy8VCURXnHH+hAh3pTEyqrUovz4otKc1OJD jNIcLErivGUqQJ0C6YklqdmpqQWpRTBZJg5OqQZGxl8G960q3p/jd8nRPbWw54/sy7b331TW TWO9/dmKxYzzWdojd3Zd4VU9H31T7jfPrLnk9OWzoBDX++tKM24X7Jsya06suoefjsID/Tc/ Oip/GymmPmq2/FzQGaz8dKn9lp38Z9ecPRbDam38fLP3gke6e2tXPiv8dc7upFaGbljnfAur yK8qSizFGYmGWsxFxYkAHZwd92wCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/wuVA7SguF0mcB-YqRbJRGe6ijqQ
Cc: IETF HTTP Auth <http-auth@ietf.org>
Subject: Re: [http-auth] Working Group Last Call for draft-ietf-httpauth-basicauth-update-03.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 17:12:55 -0000

Julian,

> On Dec 3, 2014, at 11:24 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> 
> On 2014-12-03 17:14, Michael Sweet wrote:
>> My comments:
>> 
>> - Section 2 makes the "charset" parameter OPTIONAL. I'm wondering if this should be RECOMMENDED in order to encourage adoption of UTF-8 usernames and passwords since that solves common deployment and interop issues.
> 
> This being an optional feature has been the intention since we started.
> 
> If a server has a use for non-ASCII characters, it has sufficient motivation to use it. In the other case, no amount of spec language will affect what it does.

OK, I was under the impression that one of the motivations for updating RFC 2617 was to address I18N issues.

>> - Section 2.1 uses "can" (servers can use the "charset" authentication parameter...) If "charset" is OPTIONAL in section 2, I think this should be "MAY" (servers MAY use ...), and if RECOMMENDED this should be "SHOULD" (servers SHOULD use ...), although then you'd want to clarify that it is a SHOULD when using UTF-8...
> 
> How is "MAY" better than "can"? This is a statement of fact, not an interoperability requirement.

Typically MAY is used in conjunction with OPTIONAL; from RFC 2119:

   5. MAY  This word, or the adjective "OPTIONAL", mean that an item is
   truly optional.  One vendor may choose to include the item because a
   particular marketplace requires it or because the vendor feels that
   it enhances the product while another vendor may omit the same item.
   An implementation which does not include a particular option MUST be
   prepared to interoperate with another implementation which does
   include the option, though perhaps with reduced functionality. In the
   same vein an implementation which does include a particular option
   MUST be prepared to interoperate with another implementation which
   does not include the option (except, of course, for the feature the
   option provides.)

Since the purpose is to indicate that servers will include the "charset" parameter to tell the client about the expected character encoding, something that is present specifically for interoperability with Unicode user IDs and passwords, I think that "MAY" is the right word to use here instead of its non-conformance synonym "can".

Alternately just drop "can" with no replacement, e.g.:

   In challenges, servers use the "charset" authentication parameter
   to indicate the character encoding scheme they expect the user agent
   to use when generating "user-pass" (a sequence of octets).  This
   information is purely advisory.

That avoids the whole consistency issues and makes it clear that the "charset" parameter is the one and only way of specifying the character encoding of the userid and password.

(I realize I'm being anal about this, but having spent the better part of 20 years writing/editing/reviewing technical documents and standards, I have seen a number of truly shocking misinterpretations of otherwise clear text...  "Weasel words" like "can" are often problematic...)

>> - Section 4 doesn't talk about using TLS/HTTPS, which is a common method for providing some level of protection for the cleartext password in transit.  It might be sufficient to simply expand on "enhancements", e.g.:
>> 
>>    Because Basic authentication involves the cleartext transmission of
>>    passwords it SHOULD NOT be used (without enhancements such as HTTPS [RFC2818])
>>    to protect sensitive or valuable information.
>> 
>>   with a corresponding informative reference to RFC 2818 in section 7.2.  That at least provides a pointer without endorsing Basic + HTTPS as a "secure" combination...
>> 
> 
> That sounds like a good addition.
> 
> Best regards, Julian

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

v2.23.0 | Report a Bug | By Email