IETF Logo Mail Archive

Re: [http-auth] http-auth BOF

Peter Saint-Andre <stpeter@stpeter.im> Mon, 17 September 2012 15:43 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5585021F8616 for <http-auth@ietfa.amsl.com>; Mon, 17 Sep 2012 08:43:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.487
X-Spam-Level:
X-Spam-Status: No, score=-102.487 tagged_above=-999 required=5 tests=[AWL=-0.188, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yI1qov1zIvZO for <http-auth@ietfa.amsl.com>; Mon, 17 Sep 2012 08:43:30 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 2628521F8602 for <http-auth@ietf.org>; Mon, 17 Sep 2012 08:43:30 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 1D03D40D52; Mon, 17 Sep 2012 09:44:28 -0600 (MDT)
Message-ID: <50574520.1020409@stpeter.im>
Date: Mon, 17 Sep 2012 09:43:28 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
References: <504F451E.6070805@ieca.com> <504F466A.3000203@gmx.de> <5A1492FD-FF4A-4B6A-B95B-A7EA5727BB23@checkpoint.com> <50503370.30109@gmx.de> <F13C069F-C881-4BB6-8078-B19C4CCAF68D@checkpoint.com> <CAK3OfOi9V6JiLeQOp=ZO-DgDhO=gBBicLREbEycdaw3YcAHVBA@mail.gmail.com> <CALGrgeuoVfRsoqqcf6VFMqinEKKCrkr_EOaGaMjBD5+Z9heRXQ@mail.gmail.com> <CAM+81qJkFP=De7oforHFcCCdyosGi74vCAB-Tq6Jdat2Az9hzA@mail.gmail.com> <50534C63.3080006@stpeter.im> <CAM+81qLMdwRrEO0xL4BBdyX85F7gy9GhjGsykL_3RgEcRJuA+A@mail.gmail.com> <50569984.10301@it.aoyama.ac.jp>
In-Reply-To: <50569984.10301@it.aoyama.ac.jp>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] http-auth BOF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 15:43:35 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to you both for the helpful explanation!

On 9/16/12 9:31 PM, "Martin J. Dürst" wrote:
> I wanted to make exactly the same comment as Mr. Kihara.
> 
> To give a simple example, when inputting the character/word
> "flower", most Japanese would type the four keys 'h', 'a', 'n',
> 'a', which simply corresponds to the pronunciation of that word,
> "hana". This is then converted to syllabic writing "はな", and from
> there to the actual character for flower, "花", as it would be used
> in everyday writing. However, there are other characters that are
> pronounced "hana", such as "華" (a variant character for flower), "
> 鼻" (nose), and so on. To select the correct character, various keys
> (space, arrow keys, number keys, return,...) are used. To make sure
> the right character is selected, the user has to *visually* check
> (-> shoulder attack) and confirm it.
> 
> As a result, as Mr. Kihara already explained, these characters are
> not used for passwords in Japanese. Because the same homophone
> problem for Han characters applies in Chinese and Korean, the
> situation is the same there.
> 
> In terms of entropy, Han characters would indeed contribute a lot,
> but because they require visual checking when entering, they are in
> general not suited for passwords.
> 
> Regards,    Martin.
> 
> On 2012/09/15 3:35, KIHARA, Boku wrote:
>> 2012/9/15 Peter Saint-Andre<stpeter@stpeter.im>:
>>> On 9/14/12 9:09 AM, KIHARA, Boku wrote:
>>>> <off-topic>  I heard a discussion about i18n of passwords:
>>>> about Chinese characters (of course used in Japan too), there
>>>> are many characters that have the same pronunciations so they
>>>> are input by input method software. Users type sentences in
>>>> latin characters (such as pinyin and roma-ji) then pick
>>>> intended characters from candidates. When inputting
>>>> passwords, typically input method software are disabled and
>>>> userstype unconverted characters. As a result, passwords
>>>> become within ascii range. The problem might be more
>>>> noticeable in non-ascii locales where characters are input 
>>>> directly from keyboards.
>>> 
>>> Hello Kihara-san,
>>> 
>>> Could you please clarify what you mean by "unconverted
>>> characters"? It seems that you mean these are characters from
>>> the ASCII range not converted into their CJ equivalents, but
>>> I'd like to make sure.
>> 
>> Exactly. I meant they are ASCII characters that are not processed
>> by input method software. In Japan, the input process is often
>> called "Kanji Henkan" (Chinese characters conversion) so I used
>> the word.
>> 
>>>> By the way, I think i18ning passwords in at least CJ locales
>>>> will cause another problem that conversion process can be
>>>> vulnerable to shoulder attacks :<
>>> 
>>> When you say "i18ning passwords", do you mean allowing
>>> characters outside the ASCII range?
>>> 
>>> Of course, we like to enable lots of entropy in passwords, so
>>> limiting the allowable characters to the ASCII range would be
>>> at odds with that desire.
>> 
>> By all means passwords should become more secure and allowing
>> non-ASCII characters is very good way. I only intended to notice
>> that there may be issues to be solved and I am sorry if my
>> message was misleading.
>> 
>>> By the way, some of these considerations are relevant to
>>> SASLprep (RFC 4013) and its proposed replacement 
>>> (draft-melnikov-precis-saslprepbis), so I hope you will review
>>> the latter specification and provide feedback on the
>>> precis@ietf.org and kitten@ietf.org lists. :)
>> 
>> Sure. I hope my little knowledge can help...:<
>> 
>> Regards, Boku KIHARA 
>> _______________________________________________ http-auth mailing
>> list http-auth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/http-auth
>> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBXRSAACgkQNL8k5A2w/vxfgQCfQl0TqTIQex9LRc8MpaROTxQ5
T7IAoNN3btWWwZC84ys15thBxPae3Ph8
=EKh/
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email