Dear PRECIS WG attendees, Since the last meeting in Toronto, I've sent some discussion material to Alexey and Peter for merging HTTP generic authentication into SASLPREPBIS and have a single "generic" profile.
The personal discussion is still ongoing, but I'd like to share my July proposal with ML readers as a material for the Friday's F2F discussions with other people as well. We're also awaiting discussion in HTTPAUTH WG for whether we need to allow almost arbitrary characters for usernames and passwords. My personal preference now is to use IdentifierClass (contrary to my first preference in the past). Cheers, Yutaka ---------- Forwarded message ---------- From: Yutaka OIWA <[email protected]> Date: 2014-07-25 5:45 GMT+09:00 Subject: Possible merge proposal for saslprepbis / httpauthprep To: Peter Saint-Andre <[email protected]>, Alexey Melnikov <[email protected]>, Takahiro Nemoto <[email protected]> Dear Peter and Alexey, (cc: takahiro-san) As promised in the working group session Tuesday, I've prepared "just a straw-man" for the ToC of the merged profile document. Could you provide me your frank comment for this? I think most of it is self-explanatory for rearranging existing texts. P.S. If possible, please consider thinking of the "forbidden" characters for userpart in SASL. SP, @ and " are known to me, but are there more? 1. Introduction 2. What the Username and Password Profiles Provide 3. Terminology 4. Usernames 4.1. Definition 4.2. Preparation 5. Passwords 5.1. Definition 5.2. Preparation 6. Usage Guidelines 6.1. Usage for SASL-related applications 6.1.1. Acceptable Syntax Subset 6.1.1.1. Examples 6.1.2. Case Mapping 6.1.3. Migration 6.1.3.1. Usernames 6.1.3.2. Passwords 6.1.4. Other Notes 6.2. Usage for HTTP Authentications 6.2.1. Range of Applicability 6.2.2. Notes on Syntax 6.2.3. Case Mapping 6.2.4. Roles of servers and clients 6.2.5. Backward "Compatibility" 6.3. Guides for other generic use-cases 7. IANA Considerations 7.1. UsernameIdentifierClass 7.2. PasswordFreeformClass 8. Security Considerations 8.1. Password/Passphrase Strength 8.2. Identifier Comparison 8.3. Reuse of PRECIS 8.4. Reuse of Unicode 8.5. Application-specific Considerations (if any) 9. References 9.1. Normative References 9.2. Informative References Appendix A. Differences from RFC 4013 (SASLprep) Appendix B. Acknowledgements Authors' Addresses -- Yutaka OIWA, Ph.D. Leader, System Life-cycle Research Group Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: <[email protected]>, <[email protected]> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5] _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
