--On Wednesday, July 17, 2013 07:56 -0700 Bernard Aboba <bernard_aboba@xxxxxxxxxxx> wrote: > Sam said: >> We don't get to place requirements on applications except to >> say what they need to do to use EAP. The protocol >> requirement for that is that applications using EAP need to >> know what character set they have so that EAP can convert the >> identity to UTF-8 and so that EAP methods can do any needed >> conversions. > > [BA] That sounds right. I think it is right, with one qualification that might reasonably be reflected in the document (perhaps as a Security Consideration). In the complex world of multiple coded character sets and models for designing them, there is no guarantee of a unique, reversible, mapping from any given one of them to and from Unicode. There is obviously no problem with ASCII (or, more precisely, ISO 646 IRV) or ISO 8859-1 because the Unicode ranges 0020..007F and 00A0..00FF are defined in terms of those specs. But, if the CCS used in an application, is some odd code page, mappings onto Unicode may be a matter of conventions and judgment, not a standard or universally-accepted rule. That problem is further complicated by issues of normalization and precomposed characters versus composing sequences, but would exist even without it. As Sam more or less points out, this is an application problem, not an EAP one, but the conversion process may lead to surprising EAP results, particularly including false negatives. best, john