IETF Logo Mail Archive

Re: [Emu] Revised sections for Issue #18 (Internationalization)

Simon Josefsson <simon@josefsson.org> Thu, 24 September 2009 14:13 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 84D903A69E0 for <emu@core3.amsl.com>; Thu, 24 Sep 2009 07:13:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.488
X-Spam-Level:
X-Spam-Status: No, score=-2.488 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXJ4h53hemXG for <emu@core3.amsl.com>; Thu, 24 Sep 2009 07:13:34 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 421913A6817 for <emu@ietf.org>; Thu, 24 Sep 2009 07:13:34 -0700 (PDT)
Received: from mocca.josefsson.org (c80-216-24-211.bredband.comhem.se [80.216.24.211]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id n8OEEaqS003359 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 24 Sep 2009 16:14:39 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Alan DeKok <aland@deployingradius.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE508C62E3A@xmb-sjc-225.amer.cisco.com> <877hvqavwp.fsf@mocca.josefsson.org> <4ABA2282.4080207@deployingradius.com> <87r5txu4mt.fsf@mocca.josefsson.org> <4ABB7A8A.1070002@deployingradius.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:090924:emu@ietf.org::DvA3jGCIQ7kgG9lc:7Clw
X-Hashcash: 1:22:090924:aland@deployingradius.com::lH+qBfkiUJy/xTbB:FxP1
Date: Thu, 24 Sep 2009 16:14:36 +0200
In-Reply-To: <4ABB7A8A.1070002@deployingradius.com> (Alan DeKok's message of "Thu, 24 Sep 2009 15:56:26 +0200")
Message-ID: <877hvoqvjn.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v
X-Virus-Status: Clean
Cc: emu@ietf.org
Subject: Re: [Emu] Revised sections for Issue #18 (Internationalization)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2009 14:13:35 -0000

Alan DeKok <aland@deployingradius.com> writes:

> Simon Josefsson wrote:
>> Should we suggest that passwords are sent over the wire at all?  In good
>> systems that should be the exception.
>
>   It is widely deployed today with TTLS.  I think that allowing this
> practice to continue is a requirement.

I agree, but that does not necessarily mean that
passwords-sent-over-the-wire and passwords-sent-hashed must have the
same internationalization treatment or considerations.

>> 1) Usernames.  Should be sent over the wire as-is, or possibly
>> Net-UTF-8.  It is not clear to me that the even the weak NFC part of
>> Net-UTF-8 is always a good idea for usernames, you could just send the
>> username as-is and require that COMPARISONS are done in a way that
>> reduces ambitious.
>
>   Ouch.  I fundamentally disagree.  See RFC 4282, and my attempt to
> update it, based on real-world deployment experience:
>
> http://tools.ietf.org/html/draft-dekok-radext-nai-00
>
>   My document explains why it's difficult (i.e. impossible) for third
> parties to "normalize" the data.

Interesting!  It is good to see work in this area, and your reasons
appears good to me.  I believe it is desirable to reduce the amount of
string normalization that happens, and instead use comparison-rules when
possible, but sometimes normalization is required for one reason or the
other.  As soon as normalization rules are suggested, I believe it is
worthwhile to evaluate why comparison-rules are not sufficient, and your
document address that.

>> The problem with normalization early is that you end up with a interop
>> problem where both the client and server needs to implement the exact
>> same normalization algorithms for things to be robust.  If normalization
>> only happens in one implementation, things will be predictable.
>
>   RFC 5198 specifies a normalized form.  If two implementations
> "normalize" to the RFC 5198 form differently, one of them is wrong.

Sure, but see section 4 of RFC 5198.  If it happens that NFC backwards
compatibility is broken, you end up with the interop problem.  This has
happened before for NFKC which has caused (theoretical) interop problems
for IDNA and SASLprep -- if two implementations of RFC 3454 use
different Unicode versions, they don't necessarily interop.

/Simon

v2.23.0 | Report a Bug | By Email