Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions
Phil Hunt <phil.hunt@oracle.com> Sun, 10 June 2012 19:06 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3018A21F8557 for <oauth@ietfa.amsl.com>; Sun, 10 Jun 2012 12:06:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ilufcV2R0yvX for <oauth@ietfa.amsl.com>; Sun, 10 Jun 2012 12:06:39 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id DFB7B21F853C for <oauth@ietf.org>; Sun, 10 Jun 2012 12:06:38 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by rcsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q5AJ6ZVf024851 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 10 Jun 2012 19:06:36 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q5AJ6Yib002753 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 10 Jun 2012 19:06:35 GMT
Received: from abhmt105.oracle.com (abhmt105.oracle.com [141.146.116.57]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q5AJ6YBX027279; Sun, 10 Jun 2012 14:06:34 -0500
Received: from [192.168.1.7] (/24.87.212.4) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 10 Jun 2012 12:06:34 -0700
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394366531375@TK5EX14MBXC284.redmond.corp.microsoft.com>
Date: Sun, 10 Jun 2012 12:06:36 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <50E22E60-6E83-45F8-8355-8C918A9637D1@oracle.com>
References: <4E1F6AAD24975D4BA5B16804296739436652F52D@TK5EX14MBXC284.redmond.corp.microsoft.com> <4FD4E9D4.2010808@gmx.de> <4E1F6AAD24975D4BA5B168042967394366531375@TK5EX14MBXC284.redmond.corp.microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1278)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: Julian Reschke <julian.reschke@gmx.de>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jun 2012 19:06:40 -0000
Isn't the nuance that Basic and Digest should be able to be passed through OAuth? Or is there a secondary requirement that uid/passwords forms in OAuth be re-encodable to Basic? So while "UTF-8 may not work with Basic and Digest" is that a valid concern? I think our concern should be limited to "Basic and Digest working within OAuth". Am I missing something? Phil @independentid www.independentid.com phil.hunt@oracle.com On 2012-06-10, at 11:50 AM, Mike Jones wrote: > Thanks for your reply, Julian. > > Given that, as you confirmed, UTF-8 "doesn't work with Basic and Digest", and they're required to be used with Basic, I believe that that confirms that username and password must either be ASCII or ISO-8859-1, and given that several people have written that ISO-8859-1 is a "non-starter", that effectively confirms the current syntax in -27 that username and password must be ASCII. Do you agree or am I missing a nuance here? > > Julian, there was one aspect of the open issue that you didn't reply to: Do you have an opinion on whether client_id and client_secret should be restricted to the same characters as username and password? This seems logical to me, as they are objects of the same kind as username and password, but I also sympathize with your sentiment that "we shouldn't extend this problem to anything new we define". On the other hand, given that client_id and client_secret are for machine (and not for human) consumption, I don't see any more need for internationalization of these fields than there was for scope (which the working group decided to limit to ASCII). > > Julian, what do you think? Working group, what do you think? > > Thanks, > -- Mike > > -----Original Message----- > From: Julian Reschke [mailto:julian.reschke@gmx.de] > Sent: Sunday, June 10, 2012 11:39 AM > To: Mike Jones > Cc: oauth@ietf.org > Subject: Re: Discussion needed on username and password ABNF definitions > > On 2012-06-08 20:09, Mike Jones wrote: >> Hi Julian, >> >> The current draft restricts username and password to ASCII was because RFC 2616 says this about the TEXT fields used by HTTP Basic in RFC 2617: >> "Words of *TEXT MAY contain characters from character sets other than >> ISO-8859-1 [22] only when encoded according to the rules of >> RFC 2047 [14]." >> >> Given that RFC 2047 MIME encodings aren't possible in this context, that you wrote that "If you define new protocol elements, either restrict them to US-ASCII, or find a way to encode all of Unicode", and you and Peter St. Andre wrote that using ISO-8859-1 is a non-starter, that seemed to leave ASCII as the only available choice. > > The other choice was "find a way to encode all of Unicode". The way to do this usually is to use UTF-8. That doesn't work with Basic and Digest, but we shouldn't extend this problem to anything new we define. > >> If you have an alternative proposal for encoding all of Unicode for username and password, I'd appreciate if you could propose specific text changes to -27 to accomplish them. I'd be fine with doing that, but didn't know how to satisfy all the constraints above for Unicode characters. Draft -27 is now available at http://tools.ietf.org/html/draft-ietf-oauth-v2-27. >> ... > > I haven't looked at the core OAuth spec. The right answer depends on where you use these protocol elements. > > Changing this into a question to the WG: is it acceptable to restrict all of these protocol elements to US-ASCII? > > Best regards, Julian > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Discussion needed on username and pass… Mike Jones
- Re: [OAUTH-WG] Discussion needed on username and … Julian Reschke
- Re: [OAUTH-WG] Discussion needed on username and … Mike Jones
- Re: [OAUTH-WG] Discussion needed on username and … Phil Hunt
- Re: [OAUTH-WG] Discussion needed on username and … Mike Jones
- Re: [OAUTH-WG] Discussion needed on username and … John Bradley
- Re: [OAUTH-WG] Discussion needed on username and … Julian Reschke
- Re: [OAUTH-WG] Discussion needed on username and … Mike Jones
- Re: [OAUTH-WG] Discussion needed on username and … John Bradley
- Re: [OAUTH-WG] Discussion needed on username and … Manger, James H
- Re: [OAUTH-WG] Discussion needed on username and … Mike Jones
- Re: [OAUTH-WG] Discussion needed on username and … Julian Reschke
- Re: [OAUTH-WG] Discussion needed on username and … Linlin Zhou
- Re: [OAUTH-WG] Discussion needed on username and … Hannes Tschofenig
- Re: [OAUTH-WG] Discussion needed on username and … William Mills
- Re: [OAUTH-WG] Discussion needed on username and … Mike Jones
- Re: [OAUTH-WG] Discussion needed on username and … Eran Hammer
- Re: [OAUTH-WG] Discussion needed on username and … George Fletcher
- Re: [OAUTH-WG] Discussion needed on username and … Eran Hammer
- Re: [OAUTH-WG] Discussion needed on username and … Mike Jones
- [OAUTH-WG] Dynamic clients, URI, and stuff Re: Di… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Discussion needed on username and … William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Jianhua Shao
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eve Maler
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Jianhua Shao
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eve Maler