Re: [http-auth] http-auth BOF
"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Mon, 17 September 2012 03:31 UTC
Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A978C21F84F2 for <http-auth@ietfa.amsl.com>; Sun, 16 Sep 2012 20:31:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.745
X-Spam-Level:
X-Spam-Status: No, score=-105.745 tagged_above=-999 required=5 tests=[AWL=-4.554, BAYES_50=0.001, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bAuqlv4fllzE for <http-auth@ietfa.amsl.com>; Sun, 16 Sep 2012 20:31:37 -0700 (PDT)
Received: from scintmta02.scbb.aoyama.ac.jp (scintmta02.scbb.aoyama.ac.jp [133.2.253.34]) by ietfa.amsl.com (Postfix) with ESMTP id AFBB121F846E for <http-auth@ietf.org>; Sun, 16 Sep 2012 20:31:36 -0700 (PDT)
Received: from scmse02.scbb.aoyama.ac.jp ([133.2.253.231]) by scintmta02.scbb.aoyama.ac.jp (secret/secret) with SMTP id q8H3VQSu013751 for <http-auth@ietf.org>; Mon, 17 Sep 2012 12:31:28 +0900
Received: from (unknown [133.2.206.133]) by scmse02.scbb.aoyama.ac.jp with smtp id 621c_961b_2951dd82_0078_11e2_8268_001d096c5782; Mon, 17 Sep 2012 12:31:26 +0900
Received: from [IPv6:::1] ([133.2.210.1]:35711) by itmail.it.aoyama.ac.jp with [XMail 1.22 ESMTP Server] id <S15FD40F> for <http-auth@ietf.org> from <duerst@it.aoyama.ac.jp>; Mon, 17 Sep 2012 12:31:26 +0900
Message-ID: <50569984.10301@it.aoyama.ac.jp>
Date: Mon, 17 Sep 2012 12:31:16 +0900
From: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4
MIME-Version: 1.0
To: "KIHARA, Boku" <bkihara.l@gmail.com>
References: <504F451E.6070805@ieca.com> <504F466A.3000203@gmx.de> <5A1492FD-FF4A-4B6A-B95B-A7EA5727BB23@checkpoint.com> <50503370.30109@gmx.de> <F13C069F-C881-4BB6-8078-B19C4CCAF68D@checkpoint.com> <CAK3OfOi9V6JiLeQOp=ZO-DgDhO=gBBicLREbEycdaw3YcAHVBA@mail.gmail.com> <CALGrgeuoVfRsoqqcf6VFMqinEKKCrkr_EOaGaMjBD5+Z9heRXQ@mail.gmail.com> <CAM+81qJkFP=De7oforHFcCCdyosGi74vCAB-Tq6Jdat2Az9hzA@mail.gmail.com> <50534C63.3080006@stpeter.im> <CAM+81qLMdwRrEO0xL4BBdyX85F7gy9GhjGsykL_3RgEcRJuA+A@mail.gmail.com>
In-Reply-To: <CAM+81qLMdwRrEO0xL4BBdyX85F7gy9GhjGsykL_3RgEcRJuA+A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] http-auth BOF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 03:31:38 -0000
I wanted to make exactly the same comment as Mr. Kihara. To give a simple example, when inputting the character/word "flower", most Japanese would type the four keys 'h', 'a', 'n', 'a', which simply corresponds to the pronunciation of that word, "hana". This is then converted to syllabic writing "はな", and from there to the actual character for flower, "花", as it would be used in everyday writing. However, there are other characters that are pronounced "hana", such as "華" (a variant character for flower), "鼻" (nose), and so on. To select the correct character, various keys (space, arrow keys, number keys, return,...) are used. To make sure the right character is selected, the user has to *visually* check (-> shoulder attack) and confirm it. As a result, as Mr. Kihara already explained, these characters are not used for passwords in Japanese. Because the same homophone problem for Han characters applies in Chinese and Korean, the situation is the same there. In terms of entropy, Han characters would indeed contribute a lot, but because they require visual checking when entering, they are in general not suited for passwords. Regards, Martin. On 2012/09/15 3:35, KIHARA, Boku wrote: > 2012/9/15 Peter Saint-Andre<stpeter@stpeter.im>: >> On 9/14/12 9:09 AM, KIHARA, Boku wrote: >>> <off-topic> I heard a discussion about i18n of passwords: about >>> Chinese characters (of course used in Japan too), there are many >>> characters that have the same pronunciations so they are input by >>> input method software. Users type sentences in latin characters >>> (such as pinyin and roma-ji) then pick intended characters from >>> candidates. When inputting passwords, typically input method >>> software are disabled and userstype unconverted characters. As a >>> result, passwords become within ascii range. The problem might be >>> more noticeable in non-ascii locales where characters are input >>> directly from keyboards. >> >> Hello Kihara-san, >> >> Could you please clarify what you mean by "unconverted characters"? It >> seems that you mean these are characters from the ASCII range not >> converted into their CJ equivalents, but I'd like to make sure. > > Exactly. I meant they are ASCII characters that are not processed by > input method software. In Japan, the input process is often called > "Kanji Henkan" (Chinese characters conversion) so I used the word. > >>> By the way, I think i18ning passwords in at least CJ locales will >>> cause another problem that conversion process can be vulnerable to >>> shoulder attacks :< >> >> When you say "i18ning passwords", do you mean allowing characters >> outside the ASCII range? >> >> Of course, we like to enable lots of entropy in passwords, so limiting >> the allowable characters to the ASCII range would be at odds with that >> desire. > > By all means passwords should become more secure and allowing non-ASCII > characters is very good way. I only intended to notice that there may be > issues to be solved and I am sorry if my message was misleading. > >> By the way, some of these considerations are relevant to SASLprep (RFC >> 4013) and its proposed replacement >> (draft-melnikov-precis-saslprepbis), so I hope you will review the >> latter specification and provide feedback on the precis@ietf.org and >> kitten@ietf.org lists. :) > > Sure. I hope my little knowledge can help...:< > > Regards, > Boku KIHARA > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth >
- [http-auth] http-auth BOF Sean Turner
- Re: [http-auth] http-auth BOF Julian Reschke
- Re: [http-auth] http-auth BOF Sean Turner
- Re: [http-auth] http-auth BOF Yoav Nir
- Re: [http-auth] http-auth BOF Tim
- Re: [http-auth] http-auth BOF Nico Williams
- Re: [http-auth] http-auth BOF Yutaka OIWA
- Re: [http-auth] http-auth BOF Julian Reschke
- Re: [http-auth] http-auth BOF Yoav Nir
- Re: [http-auth] http-auth BOF Julian Reschke
- Re: [http-auth] http-auth BOF Yutaka OIWA
- Re: [http-auth] http-auth BOF Yoav Nir
- Re: [http-auth] http-auth BOF Leif Johansson
- Re: [http-auth] http-auth BOF Nico Williams
- Re: [http-auth] http-auth BOF Harry Halpin
- Re: [http-auth] http-auth BOF Nico Williams
- Re: [http-auth] http-auth BOF Cameron Jones
- Re: [http-auth] http-auth BOF KIHARA, Boku
- Re: [http-auth] http-auth BOF Peter Saint-Andre
- Re: [http-auth] http-auth BOF Julian Reschke
- Re: [http-auth] http-auth BOF Cameron Jones
- Re: [http-auth] http-auth BOF Cameron Jones
- Re: [http-auth] http-auth BOF Peter Saint-Andre
- Re: [http-auth] http-auth BOF Cameron Jones
- Re: [http-auth] http-auth BOF KIHARA, Boku
- Re: [http-auth] http-auth BOF Martin J. Dürst
- Re: [http-auth] http-auth BOF Nico Williams
- Re: [http-auth] http-auth BOF Peter Saint-Andre
- Re: [http-auth] http-auth BOF Martin J. Dürst