[OPSAWG] Barry Leiba's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS)
Barry Leiba via Datatracker <noreply@ietf.org> Thu, 16 May 2019 05:10 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsawg@ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C1512006D; Wed, 15 May 2019 22:10:29 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Barry Leiba via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsawg-tacacs@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.96.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Barry Leiba <barryleiba@computer.org>
Message-ID: <155798342993.30658.12691604092353398933.idtracker@ietfa.amsl.com>
Date: Wed, 15 May 2019 22:10:29 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/jHMLDAzfwb6lXtl-VJdhrJ7WKhk>
Subject: [OPSAWG] Barry Leiba's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 05:10:30 -0000
Barry Leiba has entered the following ballot position for draft-ietf-opsawg-tacacs-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I support the DISCUSS ballots by Alexey and Roman, as well as the comments by Deborah and Alissa that more text be in the introduction about the status and limitations here. I also need to add to Alexey’s DISCUSS on 4.6, Text Encoding: To ensure interoperability of current deployments, the TACACS+ client and server MUST handle user fields and those data fields used for passwords as 8-bit octet strings. The deployment operator MUST ensure that consistent character encoding is applied from the end client to the server. This is a mine field. Treating passwords as raw octets without concern for encoding and normalization can cause authentication failures and can be used to attack systems where non-ASCII passwords are in use. Suppose I enter “crème brûlée” as my password. How that’s represented in UTF-8 depends upon my input device, as there are at least two valid representations of each accented vowel. Without normalization/canonicalization, passwords entered on different input devices might not match, blocking my access. And we haven’t touched on bidirectional issues (mixing, say, Hebrew and English characters). The precis framework has detailed explanations of how to deal with usernames and passwords — see RFC 8265 (and, for the overall precis framework, RFC 8264). The encoding SHOULD be UTF-8, and other encodings outside printable US-ASCII SHOULD be deprecated.” This doesn’t make sense with respect to how we use “deprecated”. You need to say “are deprecated”, meaning that we recommend against using them. There’s no BCP 14 “SHOULD” involved here.
- [OPSAWG] Barry Leiba's Discuss on draft-ietf-opsa… Barry Leiba via Datatracker
- Re: [OPSAWG] Barry Leiba's Discuss on draft-ietf-… Douglas Gash (dcmgash)