Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt

Peter Saint-Andre <> Mon, 18 September 2017 13:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 383DA132332 for <>; Mon, 18 Sep 2017 06:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=flFO0KuU; dkim=pass (2048-bit key) header.b=ALas1JhK
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XvOYtAVDttge for <>; Mon, 18 Sep 2017 06:22:01 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 76232126C7A for <>; Mon, 18 Sep 2017 06:22:01 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 6701620D0E; Mon, 18 Sep 2017 09:22:00 -0400 (EDT)
Received: from frontend2 ([]) by compute2.internal (MEProxy); Mon, 18 Sep 2017 09:22:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=z7U0Hq1BNPV4Q+DCbaPq7Lcou1RdOuLjEphF27RW3 7s=; b=flFO0KuU4KmAJcybiSJC8jDxLez3kSxwD3TzatPAFYAHb1X71zcpExioo GZV6zAFzmcRDu8bEAtimpkLNOURfps/bydxe4w+fIVYP/P030BSKSfp3/9EoKJ0B 32OKpD4ooRoRFHwCfB73zJoCXnVPq1SLQqOCDGUEBG1ltvLCxlGMLHrmQNs99sZ4 O64BTz3aSw8AxGOs/LS03nmqa4DyKJD4WaMCLJ87/C8bHmNJftiIi3XSSSShVnVg ndLsbxCX3FsH1GGlocW+dZxeK2NcwQJ2I5dbSg/6lfmuIDFcva2mkJOWJSx895AX R6sj3ifg4wcNRf5pgn5aVU/SN/ufQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=z7U0Hq1BNPV4Q+DCba Pq7Lcou1RdOuLjEphF27RW37s=; b=ALas1JhK2V3gYkSOfEDpUP9FlMZ7CRlJwB XL3vR3sH5B3kLNdDnVHFezu1sRxKydnx2zeBji7PGfMW+ZaUwYr0tvtrVScXLn2N kbEqbuSDp0d7UCf+35e6qxntuoxE+jIAoZWcC8bQ9XrpBIYdUurNCG//HpR8ns9F Nwm7utXEHM8fNH9v/dCo94FxuPbpwZznWwIpcqts/42BQo5/Cs/y73bYoat1wBRw Fwlei82oDN+96oxyceaEDSkgOmtp96Nylybh4uDvmR0/eBPhLx44Dp3ihKmPJVPc qzCItH/r8iGbCwNVigg8KWll0DdXV/EujLQmToVa75IVlrOgJ+FA==
X-ME-Sender: <xms:eMi_WVZIM5ZxAGEiKgY1UkzjBDNGv8EEN9_vvqKHXcjMriPe--IYFA>
X-Sasl-enc: olR/BAy6CNf1wNqizUXhuT8zo3AiIB8fEGgUz///o38s 1505740920
Received: from aither.local (unknown []) by (Postfix) with ESMTPA id C3A9E24640; Mon, 18 Sep 2017 09:21:59 -0400 (EDT)
To: Sam Whited <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Peter Saint-Andre <>
Message-ID: <>
Date: Mon, 18 Sep 2017 07:21:57 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="HkSfQeq46DCM8tBCpH5gEpaBJkGSkkuWt"
Archived-At: <>
Subject: Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Sep 2017 13:22:03 -0000

On 9/17/17 9:32 PM, Sam Whited wrote:
> On Sun, Sep 17, 2017, at 21:56, Peter Saint-Andre wrote:
>> It's true that a nickname / handle / display name is not a solid basis
>> on which to make authentication or authorization decisions. So don't do
>> that. :-)
>> Should we add a sentence about this to 7700bis?
> I suppose it couldn't hurt, but I'm not sure that it's necessary either.

I thought about it more overnight and I will look more closely at the
security considerations and introduction later today. I do think a
sentence or two would help.

> I was not attempting to suggest that the issue was that they would use
> the nickname profile for authentication, but that misusing it could be
> an issue in its own right.

The spec as written attempts, via use of NFKC, to prevent the most
egregious misuse (as quoted previously in this thread).

>> Again, if you would like to argue against publishing 7700bis, speak now
>> or forever hold your peace.
> That's what I'm doing right now :)

Actually you're arguing against the prior publication of RFC 7700, too,
which is why IMHO the burden of proof is a bit stronger - that was,
after all, a document that had IETF consensus.

>> You'd be going against the consensus of the
>> working group (which, after all, did publish RFC 7700 in 2015), so an
>> Internet-Draft (perhaps entitled "Nickname Profile Considered Harmful")
>> would be the most effective way to make your case.
> I do seem to be the lone dissenter in this matter 

Numbers are unimportant. RFC 7282 discusses this kind of scenario. What
matters is the issue, not the person who raises the issue or the number
of people who voice agreement.

> and since I no longer
> have a job that allows me the time to work on open source or standards
> in any serious way outside of the weekends I'm afraid I won't be able to
> make a better argument than what I've tried (poorly) to present in this
> email chain.

Communication is a two-way street. I get the sense that I haven't fully
understood your concern - it's open to interpretation whether you've
poorly presented the argument or I haven't grasped its implications.

As I've tried to express, there are legitimate concerns with the
Nickname profile or with any profile of the FreeformClass, but as far as
I can see we've done everything possible (via use of NFKC etc.) at this
stage in the development of internationalization technologies at the
IETF to address those concerns (or at least the concerns we've all had
for a long time - perhaps you are raising a new concern, which we need
to figure out).

Until we can get to the bottom of this, I'm going to ask the RFC Editor
to "pause the presses" for a few days. I'll try to find time later today
to propose a sentence or two that we can add to the introduction or
security considerations or both.