IETF Logo Mail Archive

Re: [http-auth] http-auth BOF

Peter Saint-Andre <stpeter@stpeter.im> Fri, 14 September 2012 15:25 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0752521F84B8 for <http-auth@ietfa.amsl.com>; Fri, 14 Sep 2012 08:25:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.655
X-Spam-Level:
X-Spam-Status: No, score=-102.655 tagged_above=-999 required=5 tests=[AWL=-0.056, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-txajhCAXmo for <http-auth@ietfa.amsl.com>; Fri, 14 Sep 2012 08:25:25 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 066B921F84EB for <http-auth@ietf.org>; Fri, 14 Sep 2012 08:25:24 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 504B6404FF; Fri, 14 Sep 2012 09:26:13 -0600 (MDT)
Message-ID: <50534C63.3080006@stpeter.im>
Date: Fri, 14 Sep 2012 09:25:23 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: "KIHARA, Boku" <bkihara.l@gmail.com>
References: <504F451E.6070805@ieca.com> <504F466A.3000203@gmx.de> <5A1492FD-FF4A-4B6A-B95B-A7EA5727BB23@checkpoint.com> <50503370.30109@gmx.de> <F13C069F-C881-4BB6-8078-B19C4CCAF68D@checkpoint.com> <CAK3OfOi9V6JiLeQOp=ZO-DgDhO=gBBicLREbEycdaw3YcAHVBA@mail.gmail.com> <CALGrgeuoVfRsoqqcf6VFMqinEKKCrkr_EOaGaMjBD5+Z9heRXQ@mail.gmail.com> <CAM+81qJkFP=De7oforHFcCCdyosGi74vCAB-Tq6Jdat2Az9hzA@mail.gmail.com>
In-Reply-To: <CAM+81qJkFP=De7oforHFcCCdyosGi74vCAB-Tq6Jdat2Az9hzA@mail.gmail.com>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] http-auth BOF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2012 15:25:26 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/14/12 9:09 AM, KIHARA, Boku wrote:
> 2012/9/14 Cameron Jones <cmhjones@gmail.com>:
>> The problem which has been highlighted is that it requires the
>> necessary encoding to be universally applicable. There are CJKV
>> users who use their own language characters as passwords. It 
>> would be nice to be able to decode these reliably and then we can
>> just ignore BASIC for ever more and get on to developing more
>> secure methods.
> 
> <off-topic> I heard a discussion about i18n of passwords: about
> Chinese characters (of course used in Japan too), there are many 
> characters that have the same pronunciations so they are input by 
> input method software. Users type sentences in latin characters
> (such as pinyin and roma-ji) then pick intended characters from
> candidates. When inputting passwords, typically input method
> software are disabled and userstype unconverted characters. As a
> result, passwords become within ascii range. The problem might be
> more noticeable in non-ascii locales where characters are input
> directly from keyboards.

Hello Kihara-san,

Could you please clarify what you mean by "unconverted characters"? It
seems that you mean these are characters from the ASCII range not
converted into their CJ equivalents, but I'd like to make sure.

> By the way, I think i18ning passwords in at least CJ locales will
> cause another problem that conversion process can be vulnerable to
> shoulder attacks :<

When you say "i18ning passwords", do you mean allowing characters
outside the ASCII range?

Of course, we like to enable lots of entropy in passwords, so limiting
the allowable characters to the ASCII range would be at odds with that
desire.

By the way, some of these considerations are relevant to SASLprep (RFC
4013) and its proposed replacement
(draft-melnikov-precis-saslprepbis), so I hope you will review the
latter specification and provide feedback on the precis@ietf.org and
kitten@ietf.org lists. :)

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBTTGMACgkQNL8k5A2w/vwhHgCfamVqTgUQEkTF/c9YFqvvsWpX
RBUAoNRad2jaSbcXdMz6//6HP4uAzfhv
=mVXQ
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email