--On Tuesday, September 22, 2009 17:58 +0200 Simon Josefsson
<simon@xxxxxxxxxxxxx> wrote:
>...
> Personally (speaking as one of few SASLprep implementers) I
> believe using NFC alone would be better from many perspectives
> than SASLprep for passwords. But I can't point to any
> substantial document to support that belief, and there are
> obvious disadvantages with the NFC-approach (less stability
> because of versioning differences) that would need to be
> addressed. Given that SCRAM is in last call now, I'm not sure
> it is feasible to develop a document that analyze NFC from
> this perspective that we can have good confidence in and gain
> wide support for.
>
> I'd be happy to help work on a document that analyzed the
> consequences of replacing SASLprep with just-use-RFC5198 in
> SASL. But I don't think SCRAM should wait for something like
> it to materialize.
Now that the issue has been raised and is presumably better
understood, I'm happy to leave that decision to the WG.
>...
> Finally a general observation. I believe username and
> passwords are different beasts when it comes to string
> preparation. What makes sense for usernames does not always
> make sense for passwords, and vice versa. Usernames are
> typically transported in the clear, and thus it makes little
> sense to enforce strong normalization like NFKC on it. What
> may be useful is to enforce weaker rules, like NFC, when
> comparing two username strings for equivalence. Passwords
> should not be transported in the clear, and are often input to
> hash functions, and thus it is motivated to require
> normalization. I'm not convinced NFC is sufficient here. I
> think conflating username string preparation with password
> string preparation is one problematic part of SASLprep.
Agreed.
john
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf