Simon Josefsson wrote: > I'd be happy to help work on a document that analyzed the consequences > of replacing SASLprep with just-use-RFC5198 in SASL. But I don't think > SCRAM should wait for something like it to materialize. I agree that such work would take time, and we don't want to delay SCRAM. But as the discussion so far has shown, normalization is a very tricky topic, and we can't really expect implementors to understand why "just use UTF-8" is problematic. Perhaps we should add a note to the SCRAM draft; something like Informative Note: Implementors are encouraged to create test cases that use both username passwords with non-ASCII characters. In particular, it's useful to test characters whose "normalization form C" and "normalization form KC" are different. Some examples of such characters include Vulgar Fraction One Half (U+00BD) and Acute Accent (U+00B4). Do you think this would increase the likelihood of interoperability with non-ASCII passwords? Best regards, Pasi _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf