IETF Logo Mail Archive

Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

Mike Jones <Michael.Jones@microsoft.com> Mon, 11 June 2012 22:17 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A3AC21F852A for <oauth@ietfa.amsl.com>; Mon, 11 Jun 2012 15:17:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.974
X-Spam-Level:
X-Spam-Status: No, score=-3.974 tagged_above=-999 required=5 tests=[AWL=-0.375, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mE7BigLVrX19 for <oauth@ietfa.amsl.com>; Mon, 11 Jun 2012 15:16:59 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ietfa.amsl.com (Postfix) with ESMTP id 1E03B21F8525 for <oauth@ietf.org>; Mon, 11 Jun 2012 15:16:58 -0700 (PDT)
Received: from mail114-ch1-R.bigfish.com (10.43.68.235) by CH1EHSOBE010.bigfish.com (10.43.70.60) with Microsoft SMTP Server id 14.1.225.23; Mon, 11 Jun 2012 22:15:58 +0000
Received: from mail114-ch1 (localhost [127.0.0.1]) by mail114-ch1-R.bigfish.com (Postfix) with ESMTP id 2A7E11A025D for <oauth@ietf.org>; Mon, 11 Jun 2012 22:15:58 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -27
X-BigFish: VS-27(zz9371I617I542Mzz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25hf0ah)
Received-SPF: pass (mail114-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail114-ch1 (localhost.localdomain [127.0.0.1]) by mail114-ch1 (MessageSwitch) id 1339452955605861_15338; Mon, 11 Jun 2012 22:15:55 +0000 (UTC)
Received: from CH1EHSMHS028.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.246]) by mail114-ch1.bigfish.com (Postfix) with ESMTP id 88AFD3A005E for <oauth@ietf.org>; Mon, 11 Jun 2012 22:15:55 +0000 (UTC)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS028.bigfish.com (10.43.70.28) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 11 Jun 2012 22:15:55 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.189]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0298.005; Mon, 11 Jun 2012 22:16:48 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Discussion needed on username and password ABNF definitions
Thread-Index: AQHNR+gPRaE+PhTJM0qj3EZzSy4QqZb1poqw
Date: Mon, 11 Jun 2012 22:16:47 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943665346D0@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436652F52D@TK5EX14MBXC284.redmond.corp.microsoft.com> <4FD4E9D4.2010808@gmx.de> <4E1F6AAD24975D4BA5B168042967394366531375@TK5EX14MBXC284.redmond.corp.microsoft.com> <4FD4F976.6090801@gmx.de> <4E1F6AAD24975D4BA5B1680429673943665316D1@TK5EX14MBXC284.redmond.corp.microsoft.com> <60F5CCB0-E036-4351-BD10-A44B33FCC5F6@ve7jtb.com> <255B9BB34FB7D647A506DC292726F6E114F5474E29@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114F5474E29@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.72]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2012 22:17:00 -0000

Reviewing the feedback from Julian, John, and James, I'm coming to the conclusion that client_id and client_secret, being for machines and not humans, should be ASCII, whereas username and password should be Unicode, since they are for humans.  Per John's feedback, client_id can not contain a colon and be compatible with HTTP Basic.

Therefore, I'd like to propose these updated ABNF definitions:

    VSCHAR = %20-7E
    NOCOLONVSCHAR = %x20-39 / %x3B-7E
    UNICODENOCTRLCHAR = <Any Unicode character other than ( %x0-1F / %x7F )>

    client-id = *NOCOLONVSCHAR
    client_secret = *VSCHAR

    username = *UNICODENOCTRLCHAR
    password = *UNICODENOCTRLCHAR

It turns out that non-ASCII characters are OK for username and password because the Core spec only passes them in the form body - not using HTTP Basic - and UTF-8 encoding is specified.

				-- Mike

P.S.  If anyone has a better ABNF for UNICODENOCTRLCHAR than "<Any Unicode character other than ( %x0-1F / %x7F )>", please send it to me!

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Manger, James H
Sent: Monday, June 11, 2012 8:37 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

Are we so sure the non-english "half" of the world only use ASCII characters in passwords? Sounds highly unlikely to me.

> Given that, as you confirmed, UTF-8 "doesn't work with Basic and Digest"...

It can work. It is just underspecified. So things can get messy.
draft-reschke-basicauth-enc-05 is a current draft (March 2012) attempting to fix this as much as possible.

Forcing ASCII password for people feels unacceptable. Better would be to say OAuth servers accepting HTTP BASIC MUST accept UTF-8 encoded usernames and passwords. A warning about interop problems with non-ASCII password is ok.

ASCII-only for usernames is almost as bad. I thought internationalized email addresses were just standardized, and email addresses are often used as usernames.

For client id & password ASCII-only is less of an issue. These are values configured into apps, not remembered by human brains.


--
James Manger

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email