Re: [http-auth] http-auth BOF
Peter Saint-Andre <stpeter@stpeter.im> Mon, 17 September 2012 15:43 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5585021F8616 for <http-auth@ietfa.amsl.com>; Mon, 17 Sep 2012 08:43:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.487
X-Spam-Level:
X-Spam-Status: No, score=-102.487 tagged_above=-999 required=5 tests=[AWL=-0.188, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yI1qov1zIvZO for <http-auth@ietfa.amsl.com>; Mon, 17 Sep 2012 08:43:30 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 2628521F8602 for <http-auth@ietf.org>; Mon, 17 Sep 2012 08:43:30 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 1D03D40D52; Mon, 17 Sep 2012 09:44:28 -0600 (MDT)
Message-ID: <50574520.1020409@stpeter.im>
Date: Mon, 17 Sep 2012 09:43:28 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
References: <504F451E.6070805@ieca.com> <504F466A.3000203@gmx.de> <5A1492FD-FF4A-4B6A-B95B-A7EA5727BB23@checkpoint.com> <50503370.30109@gmx.de> <F13C069F-C881-4BB6-8078-B19C4CCAF68D@checkpoint.com> <CAK3OfOi9V6JiLeQOp=ZO-DgDhO=gBBicLREbEycdaw3YcAHVBA@mail.gmail.com> <CALGrgeuoVfRsoqqcf6VFMqinEKKCrkr_EOaGaMjBD5+Z9heRXQ@mail.gmail.com> <CAM+81qJkFP=De7oforHFcCCdyosGi74vCAB-Tq6Jdat2Az9hzA@mail.gmail.com> <50534C63.3080006@stpeter.im> <CAM+81qLMdwRrEO0xL4BBdyX85F7gy9GhjGsykL_3RgEcRJuA+A@mail.gmail.com> <50569984.10301@it.aoyama.ac.jp>
In-Reply-To: <50569984.10301@it.aoyama.ac.jp>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] http-auth BOF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 15:43:35 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks to you both for the helpful explanation! On 9/16/12 9:31 PM, "Martin J. Dürst" wrote: > I wanted to make exactly the same comment as Mr. Kihara. > > To give a simple example, when inputting the character/word > "flower", most Japanese would type the four keys 'h', 'a', 'n', > 'a', which simply corresponds to the pronunciation of that word, > "hana". This is then converted to syllabic writing "はな", and from > there to the actual character for flower, "花", as it would be used > in everyday writing. However, there are other characters that are > pronounced "hana", such as "華" (a variant character for flower), " > 鼻" (nose), and so on. To select the correct character, various keys > (space, arrow keys, number keys, return,...) are used. To make sure > the right character is selected, the user has to *visually* check > (-> shoulder attack) and confirm it. > > As a result, as Mr. Kihara already explained, these characters are > not used for passwords in Japanese. Because the same homophone > problem for Han characters applies in Chinese and Korean, the > situation is the same there. > > In terms of entropy, Han characters would indeed contribute a lot, > but because they require visual checking when entering, they are in > general not suited for passwords. > > Regards, Martin. > > On 2012/09/15 3:35, KIHARA, Boku wrote: >> 2012/9/15 Peter Saint-Andre<stpeter@stpeter.im>: >>> On 9/14/12 9:09 AM, KIHARA, Boku wrote: >>>> <off-topic> I heard a discussion about i18n of passwords: >>>> about Chinese characters (of course used in Japan too), there >>>> are many characters that have the same pronunciations so they >>>> are input by input method software. Users type sentences in >>>> latin characters (such as pinyin and roma-ji) then pick >>>> intended characters from candidates. When inputting >>>> passwords, typically input method software are disabled and >>>> userstype unconverted characters. As a result, passwords >>>> become within ascii range. The problem might be more >>>> noticeable in non-ascii locales where characters are input >>>> directly from keyboards. >>> >>> Hello Kihara-san, >>> >>> Could you please clarify what you mean by "unconverted >>> characters"? It seems that you mean these are characters from >>> the ASCII range not converted into their CJ equivalents, but >>> I'd like to make sure. >> >> Exactly. I meant they are ASCII characters that are not processed >> by input method software. In Japan, the input process is often >> called "Kanji Henkan" (Chinese characters conversion) so I used >> the word. >> >>>> By the way, I think i18ning passwords in at least CJ locales >>>> will cause another problem that conversion process can be >>>> vulnerable to shoulder attacks :< >>> >>> When you say "i18ning passwords", do you mean allowing >>> characters outside the ASCII range? >>> >>> Of course, we like to enable lots of entropy in passwords, so >>> limiting the allowable characters to the ASCII range would be >>> at odds with that desire. >> >> By all means passwords should become more secure and allowing >> non-ASCII characters is very good way. I only intended to notice >> that there may be issues to be solved and I am sorry if my >> message was misleading. >> >>> By the way, some of these considerations are relevant to >>> SASLprep (RFC 4013) and its proposed replacement >>> (draft-melnikov-precis-saslprepbis), so I hope you will review >>> the latter specification and provide feedback on the >>> precis@ietf.org and kitten@ietf.org lists. :) >> >> Sure. I hope my little knowledge can help...:< >> >> Regards, Boku KIHARA >> _______________________________________________ http-auth mailing >> list http-auth@ietf.org >> https://www.ietf.org/mailman/listinfo/http-auth >> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBXRSAACgkQNL8k5A2w/vxfgQCfQl0TqTIQex9LRc8MpaROTxQ5 T7IAoNN3btWWwZC84ys15thBxPae3Ph8 =EKh/ -----END PGP SIGNATURE-----
- [http-auth] http-auth BOF Sean Turner
- Re: [http-auth] http-auth BOF Julian Reschke
- Re: [http-auth] http-auth BOF Sean Turner
- Re: [http-auth] http-auth BOF Yoav Nir
- Re: [http-auth] http-auth BOF Tim
- Re: [http-auth] http-auth BOF Nico Williams
- Re: [http-auth] http-auth BOF Yutaka OIWA
- Re: [http-auth] http-auth BOF Julian Reschke
- Re: [http-auth] http-auth BOF Yoav Nir
- Re: [http-auth] http-auth BOF Julian Reschke
- Re: [http-auth] http-auth BOF Yutaka OIWA
- Re: [http-auth] http-auth BOF Yoav Nir
- Re: [http-auth] http-auth BOF Leif Johansson
- Re: [http-auth] http-auth BOF Nico Williams
- Re: [http-auth] http-auth BOF Harry Halpin
- Re: [http-auth] http-auth BOF Nico Williams
- Re: [http-auth] http-auth BOF Cameron Jones
- Re: [http-auth] http-auth BOF KIHARA, Boku
- Re: [http-auth] http-auth BOF Peter Saint-Andre
- Re: [http-auth] http-auth BOF Julian Reschke
- Re: [http-auth] http-auth BOF Cameron Jones
- Re: [http-auth] http-auth BOF Cameron Jones
- Re: [http-auth] http-auth BOF Peter Saint-Andre
- Re: [http-auth] http-auth BOF Cameron Jones
- Re: [http-auth] http-auth BOF KIHARA, Boku
- Re: [http-auth] http-auth BOF Martin J. Dürst
- Re: [http-auth] http-auth BOF Nico Williams
- Re: [http-auth] http-auth BOF Peter Saint-Andre
- Re: [http-auth] http-auth BOF Martin J. Dürst