- From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 May 2025 19:14:01 +0000
- To: public-webrtc-logs@w3.org
> Semi-related, why is "do not exist" used in step 7 and therefore forbids rejecting an empty username? Apparently 3/4 implementations [do not agree either](https://wpt.fyi/results/webrtc/RTCConfiguration-iceServers.html?label=experimental&label=master&aligned). What is the TURN client supposed to put into the username field? Firefox actually puts an empty string there which is unlikely to be useful and fails to proceed with an empty password. On username, Firefox follows spec: [RFC 8489 section 14.3](https://www.rfc-editor.org/rfc/rfc8489.html#section-14.3) says: _"USERNAME is a variable-length value containing the authentication username. It MUST contain a UTF-8-encoded [[RFC3629](https://www.rfc-editor.org/rfc/rfc3629)] sequence of fewer than 509 bytes and MUST have been processed using the OpaqueString profile [[RFC8265](https://www.rfc-editor.org/rfc/rfc8265)]."_ Since zero is less than 509, `USERNAME=""` appears valid, and would only 401 unless the server has an account named `""` of course. But [RFC 8265 section 4.1](https://www.rfc-editor.org/rfc/rfc8265#section-4.1) says _"A password MUST NOT be zero bytes in length."_ -- GitHub Notification of comment by jan-ivar Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/3049#issuecomment-2887495462 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 16 May 2025 19:14:02 UTC