IETF Logo Mail Archive

Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

Mike Jones <Michael.Jones@microsoft.com> Sun, 10 June 2012 19:25 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4CE721F8435 for <oauth@ietfa.amsl.com>; Sun, 10 Jun 2012 12:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.349
X-Spam-Level:
X-Spam-Status: No, score=-4.349 tagged_above=-999 required=5 tests=[AWL=-0.750, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQOSRSKCh916 for <oauth@ietfa.amsl.com>; Sun, 10 Jun 2012 12:25:28 -0700 (PDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe002.messaging.microsoft.com [213.199.154.140]) by ietfa.amsl.com (Postfix) with ESMTP id B1BF621F842B for <oauth@ietf.org>; Sun, 10 Jun 2012 12:25:27 -0700 (PDT)
Received: from mail29-db3-R.bigfish.com (10.3.81.243) by DB3EHSOBE003.bigfish.com (10.3.84.23) with Microsoft SMTP Server id 14.1.225.23; Sun, 10 Jun 2012 19:24:29 +0000
Received: from mail29-db3 (localhost [127.0.0.1]) by mail29-db3-R.bigfish.com (Postfix) with ESMTP id A1C73E0429; Sun, 10 Jun 2012 19:24:29 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -36
X-BigFish: VS-36(zz98dI9371I936eIc3f2M542M1dbaI1432I4015Izz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h944hd25hf0ah)
Received-SPF: pass (mail29-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail29-db3 (localhost.localdomain [127.0.0.1]) by mail29-db3 (MessageSwitch) id 1339356266910131_25156; Sun, 10 Jun 2012 19:24:26 +0000 (UTC)
Received: from DB3EHSMHS017.bigfish.com (unknown [10.3.81.244]) by mail29-db3.bigfish.com (Postfix) with ESMTP id D2B15180245; Sun, 10 Jun 2012 19:24:26 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS017.bigfish.com (10.3.87.117) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 10 Jun 2012 19:24:26 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.189]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0309.003; Sun, 10 Jun 2012 19:25:13 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Discussion needed on username and password ABNF definitions
Thread-Index: Ac1FodQD2X6ejXtzRTyOfL/3OPr81wBloKQAAAAZzsAAANqTAAAALarA
Date: Sun, 10 Jun 2012 19:25:12 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943665315C7@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436652F52D@TK5EX14MBXC284.redmond.corp.microsoft.com> <4FD4E9D4.2010808@gmx.de> <4E1F6AAD24975D4BA5B168042967394366531375@TK5EX14MBXC284.redmond.corp.microsoft.com> <50E22E60-6E83-45F8-8355-8C918A9637D1@oracle.com>
In-Reply-To: <50E22E60-6E83-45F8-8355-8C918A9637D1@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Julian Reschke <julian.reschke@gmx.de>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jun 2012 19:25:29 -0000

2.3.1 of Core http://tools.ietf.org/html/draft-ietf-oauth-v2-27#section-2.3.1 requires support for HTTP Basic.  Actually, in this context, it's requiring support for using Basic with client_id and client_secret, therefore I believe those must be restricted to ASCII, as (per Julian's note), UTF-8 does not work with HTTP Basic.

Per your question about "Basic and Digest working within OAuth", since these are separately specified by RFC 2617, I believe we are bound by the constraints in that specification (hence this discussion).

				Best wishes,
				-- Mike

P.S.  In re-reading the relevant portions of the draft, I discovered that in A.1, A.2, and A.16 the parenthetical text currently reads "This matches the ... definition in the HTTP Basic Authentication Scheme [RFC2617]".  This was an editorial error, as all of these places should instead read the same as A.15 which says "This is compatible with the ... definition in the HTTP Basic Authentication Scheme [RFC2617]" (changing the word "matches" to "is compatible").  This explains one of Julian's remarks, which had previously puzzled me. ;-)

-----Original Message-----
From: Phil Hunt [mailto:phil.hunt@oracle.com] 
Sent: Sunday, June 10, 2012 12:07 PM
To: Mike Jones
Cc: Julian Reschke; oauth@ietf.org
Subject: Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

Isn't the nuance that Basic and Digest should be able to be passed through OAuth?  Or is there a secondary requirement that uid/passwords forms in OAuth be re-encodable to Basic?

So while "UTF-8 may not work with Basic and Digest" is that a valid concern?  

I think our concern should be limited to "Basic and Digest working within OAuth". 

Am I missing something?

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2012-06-10, at 11:50 AM, Mike Jones wrote:

> Thanks for your reply, Julian.
> 
> Given that, as you confirmed, UTF-8 "doesn't work with Basic and Digest", and they're required to be used with Basic, I believe that that confirms that username and password must either be ASCII or ISO-8859-1, and given that several people have written that ISO-8859-1 is a "non-starter", that effectively confirms the current syntax in -27 that username and password must be ASCII.  Do you agree or am I missing a nuance here?
> 
> Julian, there was one aspect of the open issue that you didn't reply to:  Do you have an opinion on whether client_id and client_secret should be restricted to the same characters as username and password?  This seems logical to me, as they are objects of the same kind as username and password, but I also sympathize with your sentiment that "we shouldn't extend this problem to anything new we define".  On the other hand, given that client_id and client_secret are for machine (and not for human) consumption, I don't see any more need for internationalization of these fields than there was for scope (which the working group decided to limit to ASCII).
> 
> Julian, what do you think?  Working group, what do you think?
> 
> 				Thanks,
> 				-- Mike
> 
> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de] 
> Sent: Sunday, June 10, 2012 11:39 AM
> To: Mike Jones
> Cc: oauth@ietf.org
> Subject: Re: Discussion needed on username and password ABNF definitions
> 
> On 2012-06-08 20:09, Mike Jones wrote:
>> Hi Julian,
>> 
>> The current draft restricts username and password to ASCII was because RFC 2616 says this about the TEXT fields used by HTTP Basic in RFC 2617:
>>    "Words of *TEXT MAY contain characters from character sets other than
>>     ISO-8859-1 [22] only when encoded according to the rules of
>>    RFC 2047 [14]."
>> 
>> Given that RFC 2047 MIME encodings aren't possible in this context, that you wrote that "If you define new protocol elements, either restrict them to US-ASCII, or find a way to encode all of Unicode", and you and Peter St. Andre wrote that using ISO-8859-1 is a non-starter, that seemed to leave ASCII as the only available choice.
> 
> The other choice was "find a way to encode all of Unicode". The way to do this usually is to use UTF-8. That doesn't work with Basic and Digest, but we shouldn't extend this problem to anything new we define.
> 
>> If you have an alternative proposal for encoding all of Unicode for username and password, I'd appreciate if you could propose specific text changes to -27 to accomplish them.  I'd be fine with doing that, but didn't know how to satisfy all the constraints above for Unicode characters.  Draft -27 is now available at http://tools.ietf.org/html/draft-ietf-oauth-v2-27.
>> ...
> 
> I haven't looked at the core OAuth spec. The right answer depends on where you use these protocol elements.
> 
> Changing this into a question to the WG: is it acceptable to restrict all of these protocol elements to US-ASCII?
> 
> Best regards, Julian
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email