Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

[Julian Reschke <julian.reschke@gmx.de>]

On 2012-06-08 20:09, Mike Jones wrote:
> Hi Julian,
>
> The current draft restricts username and password to ASCII was because RFC 2616 says this about the TEXT fields used by HTTP Basic in RFC 2617:
>     "Words of *TEXT MAY contain characters from character sets other than
>      ISO-8859-1 [22] only when encoded according to the rules of
>     RFC 2047 [14]."
>
> Given that RFC 2047 MIME encodings aren't possible in this context, that you wrote that "If you define new protocol elements, either restrict them to US-ASCII, or find a way to encode all of Unicode", and you and Peter St. Andre wrote that using ISO-8859-1 is a non-starter, that seemed to leave ASCII as the only available choice.

The other choice was "find a way to encode all of Unicode". The way to 
do this usually is to use UTF-8. That doesn't work with Basic and 
Digest, but we shouldn't extend this problem to anything new we define.

> If you have an alternative proposal for encoding all of Unicode for username and password, I'd appreciate if you could propose specific text changes to -27 to accomplish them.  I'd be fine with doing that, but didn't know how to satisfy all the constraints above for Unicode characters.  Draft -27 is now available at http://tools.ietf.org/html/draft-ietf-oauth-v2-27.
> ...

I haven't looked at the core OAuth spec. The right answer depends on 
where you use these protocol elements.

Changing this into a question to the WG: is it acceptable to restrict 
all of these protocol elements to US-ASCII?

Best regards, Julian