Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt

Peter Saint-Andre <stpeter@stpeter.im> Tue, 19 September 2017 15:40 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5309B134292 for <precis@ietfa.amsl.com>; Tue, 19 Sep 2017 08:40:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=j+wDNFZe; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=VZzx98D6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TlLzE1S-P09P for <precis@ietfa.amsl.com>; Tue, 19 Sep 2017 08:39:59 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24FB3133020 for <precis@ietf.org>; Tue, 19 Sep 2017 08:39:58 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 5AA75213F5; Tue, 19 Sep 2017 11:39:58 -0400 (EDT)
Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Tue, 19 Sep 2017 11:39:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=4Pw4+tHRS96gfIdWmlcKY3e6GcZxUdYz0lbsdmLag dE=; b=j+wDNFZe/La0G785DGtjzGrAKEtnOnCdtOa5+hXXLFd2kABN4wocc4HD0 hSgFZm2b4P4IyPtdiAuWcoV3c/uBqDEX4h8jwyIREFS2SslzCSTMGAG8nLFyr4o+ +hey/ydJTpYsLipHnmvXExOmt/zeZ2WnQPrFSOFOkQDQFJ9CYorEP/ICp/8l26HQ NKP/CD+qmu0i2DOh6HbMHCVpzFv8JgCQoSfJewe+TCDxY55To1W7qD0TSpj5VU1L qDfYUrYSOPsU3B7TKniOLKoiWV25A4Ru2b0Ii7DVLsjWadzXIyxGzPG3G2f4kFlj UayzSexM/Jwe9ZrwM8wtSGS0djrqQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=4Pw4+tHRS96gfIdWml cKY3e6GcZxUdYz0lbsdmLagdE=; b=VZzx98D68GDnTfePOEvGXbJlZtwIgkdQEz oL0WPPdPvY7heTDnnvoIA4/AeC76C8DEWG+2OxnwF+pragsBXm1Dk8oQlILhRh8z D7zFNsS7kau/c7J32LJEOwuF8hVqllJgpO5mq1cSglhloRlLQR8ZLTQI/uoFbNP+ ASw37ErEy4Ql9BwpEhyreT1kyAb1yfLXWfhbD7WoKxf/D9RiHMEOaOLbAhxYp0Pu MA5H1Q9XcrtVPrfw6UMTqXRsVhVrbSdBK8+w34RrONkZ2Nbi6S+PM4ZkBoYoRD8V iMNOVuspvxppvg4k4dQafhhEoOlj17nK6qrvQTsMIEsAJhET9Slw==
X-ME-Sender: <xms:TjrBWd-8F3ZUql8kNaCIMEk33cTOSsXfEfL_gwp_DQX833t5Wu6HEQ>
X-Sasl-enc: HYjhq6Xklkck9ji412t/nvAmizJ480Cmn4mfA8BzdsjE 1505835597
Received: from aither.local (107-1-214-226-ip-static.hfc.comcastbusiness.net [107.1.214.226]) by mail.messagingengine.com (Postfix) with ESMTPA id B97F87FA6B; Tue, 19 Sep 2017 11:39:57 -0400 (EDT)
From: Peter Saint-Andre <stpeter@stpeter.im>
To: Sam Whited <sam@samwhited.com>
Cc: precis@ietf.org
References: <150024725625.303.17137036571104960991@ietfa.amsl.com> <33f7468c-6742-7cbe-fa6f-70002c35cc62@stpeter.im> <CAHbk4RLa5AZp+sKUMoVOE2VsUmaDKGdWBqoTvurU_o=rj_OM0g@mail.gmail.com> <1504880015.1561911.1099626960.6CB0430C@webmail.messagingengine.com> <bd11bb2f-81a7-4081-ed49-15fa0fcb117c@stpeter.im> <1505397979.578298.1106052760.03A5025F@webmail.messagingengine.com> <0fc31e75-7893-c982-30b4-a6fe4ecae5fb@stpeter.im> <1505675616.1686212.1109016016.7A9E7FFE@webmail.messagingengine.com> <a50d8f06-2a2e-5062-5a9d-ace5b718090c@stpeter.im> <1505681506.1709856.1109072624.0D72B3D4@webmail.messagingengine.com> <70293ba4-d48d-fe38-4ea2-cfcb8254978c@stpeter.im> <1505695043.1765196.1109187000.6BDEAF89@webmail.messagingengine.com> <c1760796-0bde-d85c-9c67-b6eb934dfba8@stpeter.im> <1505705546.1810302.1109287696.57457A90@webmail.messagingengine.com> <9ff90d8e-d130-0443-d3bd-4964b101f957@stpeter.im>
Message-ID: <b7fd055f-56ec-6092-c810-d7368e9a634b@stpeter.im>
Date: Tue, 19 Sep 2017 09:39:55 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <9ff90d8e-d130-0443-d3bd-4964b101f957@stpeter.im>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="igDNTQOimaBSCi7orMUOtfH1MeG3B9wIF"
Archived-At: <https://mailarchive.ietf.org/arch/msg/precis/e21ovvM4iUEFtxOBk57rOKWy7Ag>
Subject: Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 15:40:01 -0000

On 9/18/17 7:21 AM, Peter Saint-Andre wrote:
> On 9/17/17 9:32 PM, Sam Whited wrote:
>> On Sun, Sep 17, 2017, at 21:56, Peter Saint-Andre wrote:
>>> It's true that a nickname / handle / display name is not a solid basis
>>> on which to make authentication or authorization decisions. So don't do
>>> that. :-)
>>>
>>> Should we add a sentence about this to 7700bis?
>>
>> I suppose it couldn't hurt, but I'm not sure that it's necessary either.
> 
> I thought about it more overnight and I will look more closely at the
> security considerations and introduction later today. I do think a
> sentence or two would help.

Here is some proposed text to address part of Sam's concern.

First, in the Introduction...

OLD

   The rules specified in this document can be applied in all of the
   foregoing contexts.

   To increase the likelihood that memorable, human-friendly names will
   work in ways that make sense for typical users throughout the world,
   this document defines rules for handling nicknames in terms of the
   preparation, enforcement, and comparison of internationalized strings
   (PRECIS) framework specification [RFC8264].

NEW

   The rules specified in this document can be applied in all of the
   foregoing contexts.

   It is important to understand that a nickname is a personally
   memorable name or handle for something that has a more stable,
   underlying identity, such as a URI or a file path. To ensure secure
   operation of applications that use nicknames, authentication and
   authorization decisions MUST be made on the basis of the thing's
   identity, not its nickname.

   To increase the likelihood that memorable, human-friendly names will
   work in ways that make sense for typical users throughout the world,
   this document defines rules for handling nicknames in terms of the
   preparation, enforcement, and comparison of internationalized strings
   (PRECIS) framework specification [RFC8264].

Second, we might repeat that paragraph in a new subsection of the
Security Considerations, too.

Third, I suggest that we move the following paragraph from the end of
Section 4 to the end of Section 2.1:

   Implementation experience has shown that applying the rules for the
   Nickname profile is not an idempotent procedure for all code points.
   Therefore, an implementation SHOULD apply the rules repeatedly until
   the output string is stable; if the output string does not stabilize
   after reapplying the rules three (3) additional times after the first
   application, the implementation SHOULD terminate application of the
   rules and reject the input string as invalid.

Peter