Re: [Emu] Revised sections for Issue #18 (Internationalization)
Alan DeKok <aland@deployingradius.com> Thu, 24 September 2009 13:55 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E6C3028C0E3 for <emu@core3.amsl.com>; Thu, 24 Sep 2009 06:55:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.968
X-Spam-Level:
X-Spam-Status: No, score=-1.968 tagged_above=-999 required=5 tests=[AWL=0.631, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uOdmzz+Y5rXw for <emu@core3.amsl.com>; Thu, 24 Sep 2009 06:55:19 -0700 (PDT)
Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id DF4093A6A07 for <emu@ietf.org>; Thu, 24 Sep 2009 06:55:18 -0700 (PDT)
Received: from Thor.local (mey38-2-82-228-181-7.fbx.proxad.net [82.228.181.7]) by liberty.deployingradius.com (Postfix) with ESMTPSA id C25861234491; Thu, 24 Sep 2009 15:54:35 +0200 (CEST)
Message-ID: <4ABB7A8A.1070002@deployingradius.com>
Date: Thu, 24 Sep 2009 15:56:26 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>
References: <AC1CFD94F59A264488DC2BEC3E890DE508C62E3A@xmb-sjc-225.amer.cisco.com> <877hvqavwp.fsf@mocca.josefsson.org> <4ABA2282.4080207@deployingradius.com> <87r5txu4mt.fsf@mocca.josefsson.org>
In-Reply-To: <87r5txu4mt.fsf@mocca.josefsson.org>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: emu@ietf.org
Subject: Re: [Emu] Revised sections for Issue #18 (Internationalization)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2009 13:55:20 -0000
Simon Josefsson wrote: > Should we suggest that passwords are sent over the wire at all? In good > systems that should be the exception. It is widely deployed today with TTLS. I think that allowing this practice to continue is a requirement. > 1) Usernames. Should be sent over the wire as-is, or possibly > Net-UTF-8. It is not clear to me that the even the weak NFC part of > Net-UTF-8 is always a good idea for usernames, you could just send the > username as-is and require that COMPARISONS are done in a way that > reduces ambitious. Ouch. I fundamentally disagree. See RFC 4282, and my attempt to update it, based on real-world deployment experience: http://tools.ietf.org/html/draft-dekok-radext-nai-00 My document explains why it's difficult (i.e. impossible) for third parties to "normalize" the data. > There are some indication that the algorithm of > comparing two strings for equality is simpler to make robust and > ambigious-free than an algorithm that normalize strings. Yes. The systems which do end-user input likely have enough information to normalize the data. No one else does. As a result, everyone else should compare the two strings for equality. They should not normalize the strings. > 2) Passwords sent to servers. This has similar properties as 1) but > there could be differences in how they are treated. > > 3) Passwords sent to servers only in hashed form. This has stricter > normalization requirements than 1) and 2) -- NFC is most certainly > needed, and probably something more, similar to SASLprep but preferably > without some of the problems that SASLprep has. I beleive that (2) and (3) are the same case. For (3), we will end up checking for: hash(p1) == hash(p2) For strong hashes, the simplest way to ensure this is true is if: p1 == p2 > The problem with normalization early is that you end up with a interop > problem where both the client and server needs to implement the exact > same normalization algorithms for things to be robust. If normalization > only happens in one implementation, things will be predictable. RFC 5198 specifies a normalized form. If two implementations "normalize" to the RFC 5198 form differently, one of them is wrong. Alan DeKok.
- [Emu] Revised sections for Issue #18 (Internation… Joseph Salowey (jsalowey)
- Re: [Emu] Revised sections for Issue #18 (Interna… Simon Josefsson
- Re: [Emu] Revised sections for Issue #18 (Interna… Alan DeKok
- Re: [Emu] Revised sections for Issue #18 (Interna… Simon Josefsson
- Re: [Emu] Revised sections for Issue #18 (Interna… Alan DeKok
- Re: [Emu] Revised sections for Issue #18 (Interna… Simon Josefsson
- Re: [Emu] Revised sections for Issue #18 (Interna… Alan DeKok
- Re: [Emu] Revised sections for Issue #18 (Interna… Simon Josefsson
- Re: [Emu] Revised sections for Issue #18 (Interna… Alan DeKok
- Re: [Emu] Revised sections for Issue #18 (Interna… Simon Josefsson
- Re: [Emu] Revised sections for Issue #18 (Interna… Joseph Salowey (jsalowey)
- Re: [Emu] Revised sections for Issue #18 (Interna… Simon Josefsson
- Re: [Emu] Revised sections for Issue #18 (Interna… Alan DeKok
- Re: [Emu] Revised sections for Issue #18 (Interna… Simon Josefsson