John C Klensin wrote:
Looking http://en.wikipedia.org/wiki/Keyboard_layout, it seems
the Finnish/Swedish layout is not special in any way, and many
other European keyboards would also have some small number of
characters where NFC!=NFKC.
That is important data. It seems to me that it implies:
* if entropy in passwords and/or properly reflecting
keyboards is more important than password
interoperability (whatever that means), then we should
be moving away from NFKC and, hence, from the current
version of SASLprep.
I don't know about the East Asian width variants, but for the ones in the
Finnish/Swedish layout, there is basically no entropy loss. For some
of the characters, there's only one way to enter the NFKC form (so no
entropy is lost); and the number of characters affected is small, and
they're rarely used anyway (so the effect on entropy is extremely small).
So IMHO entropy is not a good reason to move away from NFKC.
There might be other reasons, but the complaint about SASLprep I've
heard most often (implementation complexity -- unless the platform
already has a normalize() call always available, many programmers will
"just use UTF-8") applies equally to NFC, too. So I'm not sure if
moving to NFC would really solve anything here...
But "just use UTF-8" probably won't lead to good interoperability
when the passwords are hashed (as opposed to sent and compared, like
usernames).
Best regards,
Pasi
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf