Yes, I think it is best to define a separate profile for HTTPAUTH (based
on various conversations at the last IETF meeting). I will try to review
your document again very soon.
Peter
On 2/3/14, 5:18 PM, Yutaka OIWA wrote:
Dear Julian and Peter (added),
how about the things ongoing about handling of
HTTP-AUTH normalization in context of PRECIS?
I proposed general-purpose HTTP-AUTH normalization
profile to PRECIS WG (just because I need it :-),
and they considered merging it with new SASLPREPbis.
My current draft is
http://tools.ietf.org/html/draft-oiwa-precis-httpauthprep-00 .
SASLPREPbis is in WG pool as
http://tools.ietf.org/html/draft-ietf-precis-saslprepbis-06 .
I am awaiting actions for whether the merging
will actually happen or not.
In my understanding, removing of SASL-dependent
natures (e.g. that in Username grammer) from current
saslprepbis is not going forward yet, and current
SASLPREPbis is, at least personally, not applicable
for any HTTP auth schemes except SASL-backed ones.
For clarify, SASLPREPbis is really good, and the differences
are not large but critical.
I think there is several possible directions for us to go:
1) Go merging: push forward to make saslprepbis a
general-purpose precis profile by separating
still-remaining SASL-only features.
IMO, in this case we may need two separate
application notes documents for SASL and HTTP-AUTH.
2) Go separate: discuss HTTPAUTH in context of
PRECIS separately from SASLPREP.
I believe that my draft will give us a good starting point,
as my best effort.
3) for Julian, one possible best current cheating, if you
can't wait PRECIS WG, might be just specify NFC as a
canonical form. Both SASLPREP and HTTPAUTHprep
(and many other PRECIS profiles) are NFC based,
so it will not likely harm future development of proper
PRECIS-based "preparation" (including normalization).
Also, I would be happy if Julian (as talked in Vancouver)
and other people in HTTPAUTH WG and PRECIS WG
could give us a feedback on my proposal from the
both WG's points of view.
2014-02-04 Julian Reschke <[email protected]>:
On 2013-10-05 11:01, Julian Reschke wrote:
On 2013-09-12 12:35, Julian Reschke wrote:
On 2013-08-21 21:22, Matthew Lepinski wrote:
Draft minutes for the HTTP-AUTH session have been posted.
They can be found at:
http://www.ietf.org/proceedings/87/minutes/minutes-87-httpauth
If you notice any omissions or other errors in the minutes, please let
us know.
...
OK, the minutes mention:
"Unicode Normalization : Getting from what is typed in to Unicode code
points will require discussion"
So how do we proceed from here? Any concrete proposals for what to say?
It seems we don't know what to say then, right?
How about: "Beware that differing Unicode normalization forms can cause
interoperability problems. See [http://unicode.org/reports/tr15/].";?
Best regards, Julian
So, does anybody have a good plan how to approach the normalization problem?
Otherwise we'll just have to state that there are dragons out there, and
that we don't know the solution...
Best regards, Julian
_______________________________________________
http-auth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/http-auth
--
Peter Saint-Andre
https://stpeter.im/
_______________________________________________
precis mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/precis
