IETF Logo Mail Archive

[OAUTH-WG] Discussion needed on username and password ABNF definitions

Mike Jones <Michael.Jones@microsoft.com> Fri, 08 June 2012 18:09 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32BCC11E80B6 for <oauth@ietfa.amsl.com>; Fri, 8 Jun 2012 11:09:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.232
X-Spam-Level:
X-Spam-Status: No, score=-5.232 tagged_above=-999 required=5 tests=[AWL=1.367, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5N4lMPzPvdc for <oauth@ietfa.amsl.com>; Fri, 8 Jun 2012 11:09:34 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 19F8C11E8083 for <oauth@ietf.org>; Fri, 8 Jun 2012 11:09:34 -0700 (PDT)
Received: from mail93-tx2-R.bigfish.com (10.9.14.249) by TX2EHSOBE003.bigfish.com (10.9.40.23) with Microsoft SMTP Server id 14.1.225.23; Fri, 8 Jun 2012 18:08:40 +0000
Received: from mail93-tx2 (localhost [127.0.0.1]) by mail93-tx2-R.bigfish.com (Postfix) with ESMTP id 6FE4D1E0404; Fri, 8 Jun 2012 18:08:40 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -33
X-BigFish: VS-33(zz98dI9371I936eIc3f2M542Mzz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25hf0ah)
Received-SPF: pass (mail93-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail93-tx2 (localhost.localdomain [127.0.0.1]) by mail93-tx2 (MessageSwitch) id 1339178919272409_27923; Fri, 8 Jun 2012 18:08:39 +0000 (UTC)
Received: from TX2EHSMHS040.bigfish.com (unknown [10.9.14.252]) by mail93-tx2.bigfish.com (Postfix) with ESMTP id 35241140044; Fri, 8 Jun 2012 18:08:39 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS040.bigfish.com (10.9.99.140) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 8 Jun 2012 18:08:38 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.189]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0309.003; Fri, 8 Jun 2012 18:09:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>
Thread-Topic: Discussion needed on username and password ABNF definitions
Thread-Index: Ac1FodQD2X6ejXtzRTyOfL/3OPr81w==
Date: Fri, 08 Jun 2012 18:09:27 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436652F52D@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 18:09:35 -0000

Hi Julian,

The current draft restricts username and password to ASCII was because RFC 2616 says this about the TEXT fields used by HTTP Basic in RFC 2617:
   "Words of *TEXT MAY contain characters from character sets other than
    ISO-8859-1 [22] only when encoded according to the rules of
   RFC 2047 [14]."

Given that RFC 2047 MIME encodings aren't possible in this context, that you wrote that "If you define new protocol elements, either restrict them to US-ASCII, or find a way to encode all of Unicode", and you and Peter St. Andre wrote that using ISO-8859-1 is a non-starter, that seemed to leave ASCII as the only available choice.

If you have an alternative proposal for encoding all of Unicode for username and password, I'd appreciate if you could propose specific text changes to -27 to accomplish them.  I'd be fine with doing that, but didn't know how to satisfy all the constraints above for Unicode characters.  Draft -27 is now available at http://tools.ietf.org/html/draft-ietf-oauth-v2-27.

The working group should also discuss whether client_id and client_secret should use the same character set restrictions as username and password or whether they should be different for some reason.  In the case of one character, they need to be different:  The client_id field already allows colon (":") for reasons identified by Nat Sakimura, among others, whereas username can't because of HTTP Basic restrictions.

				Best wishes,
				-- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de] 
Sent: Friday, June 08, 2012 2:52 AM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft OAuth Core spec changes updating proposed ABNF

On 2012-06-08 09:56, Mike Jones wrote:
> The attached proposed edits to the Core spec update the ABNF to remove 
> the character set restrictions that working group participants had 
> objected to, and to define common syntax elements, where appropriate.
> After working group review, I believe that these changes are ready to 
> be checked in for draft 27 after being merged with whatever other 
> changes Eran has made.
> ...

As far as I can tell, you have chosen to restrict everything to US-ASCII. That definitively makes the ABNF and the wire representation simpler, but it does break I18N big time.

And please don't tell me that people do not use non-ASCII characters in credentials (-> <https://bugzilla.mozilla.org/show_bug.cgi?id=41489>).

Focusing on username and password... If this relates to the use in Basic and Digest, it's fine that it has their current limitations; but in that case the ABNF shouldn't invent new productions and claim that they match 2617's when they do not.

If this relates to uses of usernames and passwords outside Basic and Digest (thus new uses), then I believe the proposed solution is not acceptable.

Best regards, Julian

v2.23.0 | Report a Bug | By Email