IETF Logo Mail Archive

Re: [http-auth] http-auth BOF

"KIHARA, Boku" <bkihara.l@gmail.com> Fri, 14 September 2012 18:35 UTC

Return-Path: <bkihara.l@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3596121F8569 for <http-auth@ietfa.amsl.com>; Fri, 14 Sep 2012 11:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5WO0c-Z-ZmCX for <http-auth@ietfa.amsl.com>; Fri, 14 Sep 2012 11:35:43 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 37F3621F854E for <http-auth@ietf.org>; Fri, 14 Sep 2012 11:35:43 -0700 (PDT)
Received: by vcbfo14 with SMTP id fo14so5730200vcb.31 for <http-auth@ietf.org>; Fri, 14 Sep 2012 11:35:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NvrvmDFFZOatDBr9XX0c4wESMbXftodAbJon/q/nGO0=; b=p+aoswQzqH0C/1KZGNwXoTHBKuVdCvTlOAywFav0unsWGzdWSsqzTna4bqg6BngWLT LZ3UQA5bPwMycKh0h/Kd3iR7Mch11KkL4o0woU5vEo9hzVqZuwTnIGQim5y2Sdw3GgU3 vvER8QCwR2TqYIJQHIQF7yUD1ItDtOLpd6LQpT1sCSUVACaWfdydbAr7tTeCorUkdaDf 2IOvgVS6pu3zUaUKomCaVgY24BNltzpV6GjJ1H1gN6IMtlyacQmByJKOqi1yExrcfvtg Si2PSJetZ8V+5y8fsTJ5cAdqHcUySIE+67yF5/qNVAm2H82wc+LTZGaeY9bpMCpm8YWk JkUA==
MIME-Version: 1.0
Received: by 10.52.32.233 with SMTP id m9mr21539vdi.88.1347647741837; Fri, 14 Sep 2012 11:35:41 -0700 (PDT)
Received: by 10.58.221.33 with HTTP; Fri, 14 Sep 2012 11:35:41 -0700 (PDT)
In-Reply-To: <50534C63.3080006@stpeter.im>
References: <504F451E.6070805@ieca.com> <504F466A.3000203@gmx.de> <5A1492FD-FF4A-4B6A-B95B-A7EA5727BB23@checkpoint.com> <50503370.30109@gmx.de> <F13C069F-C881-4BB6-8078-B19C4CCAF68D@checkpoint.com> <CAK3OfOi9V6JiLeQOp=ZO-DgDhO=gBBicLREbEycdaw3YcAHVBA@mail.gmail.com> <CALGrgeuoVfRsoqqcf6VFMqinEKKCrkr_EOaGaMjBD5+Z9heRXQ@mail.gmail.com> <CAM+81qJkFP=De7oforHFcCCdyosGi74vCAB-Tq6Jdat2Az9hzA@mail.gmail.com> <50534C63.3080006@stpeter.im>
Date: Sat, 15 Sep 2012 03:35:41 +0900
Message-ID: <CAM+81qLMdwRrEO0xL4BBdyX85F7gy9GhjGsykL_3RgEcRJuA+A@mail.gmail.com>
From: "KIHARA, Boku" <bkihara.l@gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] http-auth BOF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2012 18:35:44 -0000

2012/9/15 Peter Saint-Andre <stpeter@stpeter.im>:
> On 9/14/12 9:09 AM, KIHARA, Boku wrote:
>> <off-topic> I heard a discussion about i18n of passwords: about
>> Chinese characters (of course used in Japan too), there are many
>> characters that have the same pronunciations so they are input by
>> input method software. Users type sentences in latin characters
>> (such as pinyin and roma-ji) then pick intended characters from
>> candidates. When inputting passwords, typically input method
>> software are disabled and userstype unconverted characters. As a
>> result, passwords become within ascii range. The problem might be
>> more noticeable in non-ascii locales where characters are input
>> directly from keyboards.
>
> Hello Kihara-san,
>
> Could you please clarify what you mean by "unconverted characters"? It
> seems that you mean these are characters from the ASCII range not
> converted into their CJ equivalents, but I'd like to make sure.

Exactly. I meant they are ASCII characters that are not processed by
input method software. In Japan, the input process is often called
"Kanji Henkan" (Chinese characters conversion) so I used the word.

>> By the way, I think i18ning passwords in at least CJ locales will
>> cause another problem that conversion process can be vulnerable to
>> shoulder attacks :<
>
> When you say "i18ning passwords", do you mean allowing characters
> outside the ASCII range?
>
> Of course, we like to enable lots of entropy in passwords, so limiting
> the allowable characters to the ASCII range would be at odds with that
> desire.

By all means passwords should become more secure and allowing non-ASCII
characters is very good way. I only intended to notice that there may be
issues to be solved and I am sorry if my message was misleading.

> By the way, some of these considerations are relevant to SASLprep (RFC
> 4013) and its proposed replacement
> (draft-melnikov-precis-saslprepbis), so I hope you will review the
> latter specification and provide feedback on the precis@ietf.org and
> kitten@ietf.org lists. :)

Sure. I hope my little knowledge can help...:<

Regards,
Boku KIHARA

v2.23.0 | Report a Bug | By Email