Dear Julian and Peter (added), how about the things ongoing about handling of HTTP-AUTH normalization in context of PRECIS?
I proposed general-purpose HTTP-AUTH normalization profile to PRECIS WG (just because I need it :-), and they considered merging it with new SASLPREPbis. My current draft is http://tools.ietf.org/html/draft-oiwa-precis-httpauthprep-00 . SASLPREPbis is in WG pool as http://tools.ietf.org/html/draft-ietf-precis-saslprepbis-06 . I am awaiting actions for whether the merging will actually happen or not. In my understanding, removing of SASL-dependent natures (e.g. that in Username grammer) from current saslprepbis is not going forward yet, and current SASLPREPbis is, at least personally, not applicable for any HTTP auth schemes except SASL-backed ones. For clarify, SASLPREPbis is really good, and the differences are not large but critical. I think there is several possible directions for us to go: 1) Go merging: push forward to make saslprepbis a general-purpose precis profile by separating still-remaining SASL-only features. IMO, in this case we may need two separate application notes documents for SASL and HTTP-AUTH. 2) Go separate: discuss HTTPAUTH in context of PRECIS separately from SASLPREP. I believe that my draft will give us a good starting point, as my best effort. 3) for Julian, one possible best current cheating, if you can't wait PRECIS WG, might be just specify NFC as a canonical form. Both SASLPREP and HTTPAUTHprep (and many other PRECIS profiles) are NFC based, so it will not likely harm future development of proper PRECIS-based "preparation" (including normalization). Also, I would be happy if Julian (as talked in Vancouver) and other people in HTTPAUTH WG and PRECIS WG could give us a feedback on my proposal from the both WG's points of view. 2014-02-04 Julian Reschke <[email protected]>: > On 2013-10-05 11:01, Julian Reschke wrote: >> >> On 2013-09-12 12:35, Julian Reschke wrote: >>> >>> On 2013-08-21 21:22, Matthew Lepinski wrote: >>>> >>>> Draft minutes for the HTTP-AUTH session have been posted. >>>> >>>> They can be found at: >>>> http://www.ietf.org/proceedings/87/minutes/minutes-87-httpauth >>>> >>>> If you notice any omissions or other errors in the minutes, please let >>>> us know. >>>> ... >>> >>> >>> OK, the minutes mention: >>> >>> "Unicode Normalization : Getting from what is typed in to Unicode code >>> points will require discussion" >>> >>> So how do we proceed from here? Any concrete proposals for what to say? >> >> >> It seems we don't know what to say then, right? >> >> How about: "Beware that differing Unicode normalization forms can cause >> interoperability problems. See [http://unicode.org/reports/tr15/].";? >> >> >> Best regards, Julian > > > So, does anybody have a good plan how to approach the normalization problem? > > Otherwise we'll just have to state that there are dragons out there, and > that we don't know the solution... > > > Best regards, Julian > > _______________________________________________ > http-auth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/http-auth -- Yutaka OIWA, Ph.D. Leader, System Life-cycle Research Group Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <[email protected]>, <[email protected]> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
