<Pasi.Eronen@xxxxxxxxx> writes: > Simon Josefsson wrote: > >> I'd be happy to help work on a document that analyzed the consequences >> of replacing SASLprep with just-use-RFC5198 in SASL. But I don't think >> SCRAM should wait for something like it to materialize. > > I agree that such work would take time, and we don't want to delay > SCRAM. > > But as the discussion so far has shown, normalization is a very tricky > topic, and we can't really expect implementors to understand why "just > use UTF-8" is problematic. Perhaps we should add a note to the SCRAM > draft; something like > > Informative Note: Implementors are encouraged to create test cases > that use both username passwords with non-ASCII characters. In > particular, it's useful to test characters whose "normalization > form C" and "normalization form KC" are different. Some examples of > such characters include Vulgar Fraction One Half (U+00BD) and > Acute Accent (U+00B4). +1. > Do you think this would increase the likelihood of interoperability > with non-ASCII passwords? For implementers that decides to use SASLprep but just happens to get things wrong, yes. For those, I think test vectors would be even more useful. /Simon _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf