John C Klensin wrote: > > Looking http://en.wikipedia.org/wiki/Keyboard_layout, it seems > > the Finnish/Swedish layout is not special in any way, and many > > other European keyboards would also have some small number of > > characters where NFC!=NFKC. > > That is important data. It seems to me that it implies: > > * if entropy in passwords and/or properly reflecting > keyboards is more important than password > interoperability (whatever that means), then we should > be moving away from NFKC and, hence, from the current > version of SASLprep. I don't know about the East Asian width variants, but for the ones in the Finnish/Swedish layout, there is basically no entropy loss. For some of the characters, there's only one way to enter the NFKC form (so no entropy is lost); and the number of characters affected is small, and they're rarely used anyway (so the effect on entropy is extremely small). So IMHO entropy is not a good reason to move away from NFKC. There might be other reasons, but the complaint about SASLprep I've heard most often (implementation complexity -- unless the platform already has a normalize() call always available, many programmers will "just use UTF-8") applies equally to NFC, too. So I'm not sure if moving to NFC would really solve anything here... But "just use UTF-8" probably won't lead to good interoperability when the passwords are hashed (as opposed to sent and compared, like usernames). Best regards, Pasi _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf