<Pasi(_dot_)Eronen(_at_)nokia(_dot_)com> writes:
Simon Josefsson wrote:
I'd be happy to help work on a document that analyzed the consequences
of replacing SASLprep with just-use-RFC5198 in SASL. But I don't think
SCRAM should wait for something like it to materialize.
I agree that such work would take time, and we don't want to delay
SCRAM.
But as the discussion so far has shown, normalization is a very tricky
topic, and we can't really expect implementors to understand why "just
use UTF-8" is problematic. Perhaps we should add a note to the SCRAM
draft; something like
Informative Note: Implementors are encouraged to create test cases
that use both username passwords with non-ASCII characters. In
particular, it's useful to test characters whose "normalization
form C" and "normalization form KC" are different. Some examples of
such characters include Vulgar Fraction One Half (U+00BD) and
Acute Accent (U+00B4).
+1.
Do you think this would increase the likelihood of interoperability
with non-ASCII passwords?
For implementers that decides to use SASLprep but just happens to get
things wrong, yes. For those, I think test vectors would be even more
useful.
/Simon
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf