Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt

[Peter Saint-Andre <stpeter@stpeter.im>]

On 9/17/17 9:32 PM, Sam Whited wrote:
> On Sun, Sep 17, 2017, at 21:56, Peter Saint-Andre wrote:
>> It's true that a nickname / handle / display name is not a solid basis
>> on which to make authentication or authorization decisions. So don't do
>> that. :-)
>>
>> Should we add a sentence about this to 7700bis?
> 
> I suppose it couldn't hurt, but I'm not sure that it's necessary either.

I thought about it more overnight and I will look more closely at the
security considerations and introduction later today. I do think a
sentence or two would help.

> I was not attempting to suggest that the issue was that they would use
> the nickname profile for authentication, but that misusing it could be
> an issue in its own right.

The spec as written attempts, via use of NFKC, to prevent the most
egregious misuse (as quoted previously in this thread).

>> Again, if you would like to argue against publishing 7700bis, speak now
>> or forever hold your peace.
> 
> That's what I'm doing right now :)

Actually you're arguing against the prior publication of RFC 7700, too,
which is why IMHO the burden of proof is a bit stronger - that was,
after all, a document that had IETF consensus.

>> You'd be going against the consensus of the
>> working group (which, after all, did publish RFC 7700 in 2015), so an
>> Internet-Draft (perhaps entitled "Nickname Profile Considered Harmful")
>> would be the most effective way to make your case.
> 
> I do seem to be the lone dissenter in this matter 

Numbers are unimportant. RFC 7282 discusses this kind of scenario. What
matters is the issue, not the person who raises the issue or the number
of people who voice agreement.

> and since I no longer
> have a job that allows me the time to work on open source or standards
> in any serious way outside of the weekends I'm afraid I won't be able to
> make a better argument than what I've tried (poorly) to present in this
> email chain.

Communication is a two-way street. I get the sense that I haven't fully
understood your concern - it's open to interpretation whether you've
poorly presented the argument or I haven't grasped its implications.

As I've tried to express, there are legitimate concerns with the
Nickname profile or with any profile of the FreeformClass, but as far as
I can see we've done everything possible (via use of NFKC etc.) at this
stage in the development of internationalization technologies at the
IETF to address those concerns (or at least the concerns we've all had
for a long time - perhaps you are raising a new concern, which we need
to figure out).

Until we can get to the bottom of this, I'm going to ask the RFC Editor
to "pause the presses" for a few days. I'll try to find time later today
to propose a sentence or two that we can add to the introduction or
security considerations or both.

Peter