Re: [sasl] Last Call: draft-ietf-sasl-scram

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--On Tuesday, September 15, 2009 02:55:54 PM -0500 Nicolas Williams <Nicolas.Williams@xxxxxxx> wrote:

I think the right answer is to leave _query_ strings unnormalized and
require that _storage_ strings be normalized (see my separate reply on
that general topic, with a different Subject:, just now).

Or at least, leave query strings unnormalized until just before the query happens, and then normalize them in the same way as the storage string.

More generally, what you want is normalization-insensitive comparison, and normalization of storage strings when they are stored is just an optimization for that.

Except in cases like SCRAM, where strings are used to derive cryptographic keys or in other ways where it matters whether they're the same, but you don't get to compare them directly. Then you need to insure that the same input string is always transformed in the same way, or things break. Unfortunately, for SCRAM passwords, it's the client that has to do that transformation on every transaction, so we must insure that all clients do so in the same way.

-- Jeff
_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]