Simon Josefsson wrote:
I'd be happy to help work on a document that analyzed the consequences
of replacing SASLprep with just-use-RFC5198 in SASL. But I don't think
SCRAM should wait for something like it to materialize.
I agree that such work would take time, and we don't want to delay
But as the discussion so far has shown, normalization is a very tricky
topic, and we can't really expect implementors to understand why "just
use UTF-8" is problematic. Perhaps we should add a note to the SCRAM
draft; something like
Informative Note: Implementors are encouraged to create test cases
that use both username passwords with non-ASCII characters. In
particular, it's useful to test characters whose "normalization
form C" and "normalization form KC" are different. Some examples of
such characters include Vulgar Fraction One Half (U+00BD) and
Acute Accent (U+00B4).
Do you think this would increase the likelihood of interoperability
with non-ASCII passwords?
Ietf mailing list