IETF Logo Mail Archive

Re: [P2PSIP] RELOAD Base issue: stringprep of password

Dean Willis <dean.willis@softarmor.com> Wed, 14 November 2012 19:44 UTC

Return-Path: <dean.willis@softarmor.com>
X-Original-To: p2psip@ietfa.amsl.com
Delivered-To: p2psip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D1B821F87E0 for <p2psip@ietfa.amsl.com>; Wed, 14 Nov 2012 11:44:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sOSpp5aLfcUJ for <p2psip@ietfa.amsl.com>; Wed, 14 Nov 2012 11:44:44 -0800 (PST)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8D1F221F87DC for <p2psip@ietf.org>; Wed, 14 Nov 2012 11:44:44 -0800 (PST)
Received: by mail-ob0-f172.google.com with SMTP id ef5so914711obb.31 for <p2psip@ietf.org>; Wed, 14 Nov 2012 11:44:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=softarmor.com; s=google; h=references:in-reply-to:mime-version:content-type:message-id :content-transfer-encoding:cc:from:subject:date:to:x-mailer; bh=LvDOxKVIwFOVlWeAaNHQOEpGI8y3QwW3wc5H+f2Yv2k=; b=LU534FE/Um5kjp2DQSDLm1z+5H+axAp96w5Fa6u/Xe9HFiu/3o01gdyZCRdxequWHT 0blsKhUlnNY9fc7oHi3JkDmsGLnKtbpYkxCwdVhMIBEXkH1noSCi+e7U/QbFrx8sFZ04 YQAMG2mkBOtv4smijMFtLWdOidSy+kblxlnk8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-type:message-id :content-transfer-encoding:cc:from:subject:date:to:x-mailer :x-gm-message-state; bh=LvDOxKVIwFOVlWeAaNHQOEpGI8y3QwW3wc5H+f2Yv2k=; b=loHTRWlcT9DH4eLjpfVwkHv/ByyMUfMIDmZyUZMmjffy5wGSdTDcMEKl3/QRLQpTJB ND1AgtEAzSWWjupB3+xdhpH4mjztI8kuzQgpxSoCrY4kNh4cibh3GDzhcUlfvAi6nghy +2X5qVpJQTkePYdcsS06VWumnZBBQuUepWG38ktalTqgittat41/S1MnKHvq1mdhJslh IOsdg8diTroM5xI+S9wlvCjIsF+t+FfYxgd/n37aeoPbWoQxOrgCrZhLFV7BhTx6yd0t X6iyIBEAnYRckw+jhrkKDtViPOT3bp/9CcvjpR9XXC7MfT1dWJclwipMe9sleS5Yu1qu y2lQ==
Received: by 10.182.95.234 with SMTP id dn10mr21648228obb.97.1352922283945; Wed, 14 Nov 2012 11:44:43 -0800 (PST)
Received: from [192.168.2.119] (cpe-72-181-157-19.tx.res.rr.com. [72.181.157.19]) by mx.google.com with ESMTPS id v3sm10762210oee.0.2012.11.14.11.44.42 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 14 Nov 2012 11:44:43 -0800 (PST)
References: <5AF341E0-FFB9-44DA-A9A5-FBF004F5F4E4@softarmor.com>
In-Reply-To: <5AF341E0-FFB9-44DA-A9A5-FBF004F5F4E4@softarmor.com>
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <7FBFACAB-BEC8-471B-8CDB-76E6483F4575@softarmor.com>
Content-Transfer-Encoding: quoted-printable
From: Dean Willis <dean.willis@softarmor.com>
Date: Wed, 14 Nov 2012 13:35:40 -0600
To: Dean Willis <dean.willis@softarmor.com>
X-Mailer: Apple Mail (2.1085)
X-Gm-Message-State: ALoCoQkM4cKyrJcbYXWDX/4O1/pJ3JHkMn9OwylCWZz3PaazNwgPbcFRUGfvsk8TBhyIZhHl5kxw
Cc: Cullen Jennings <fluffy@cisco.com>, p2psip@ietf.org
Subject: Re: [P2PSIP] RELOAD Base issue: stringprep of password
X-BeenThere: p2psip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Peer-to-Peer SIP working group discussion list <p2psip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/p2psip>, <mailto:p2psip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/p2psip>
List-Post: <mailto:p2psip@ietf.org>
List-Help: <mailto:p2psip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 19:44:45 -0000

Cullen, Ekr and I discussed this today, and Cullen solicited input from Peter Saint-Andre


Peter says: 

As to the charset issue, it seems safest to specify that the charset must be UTF-8 (we don't want to end up with something like charset=windows-1250 as in Section 4.5 of RFC 2388). 

As to preparation of usernames and passwords, it seems safest right now to say that these strings shall be prepared in accordance with SASLprep (RFC 4013) prior to comparison -- see RFC 4616 for text you could borrow.

[Eventually, perhaps even relatively soon in "RELOAD years", RFC 4013 will be obsoleted by draft-melnikov-precis-saslprepbis; however, you might prefer not to gate RELOAD on output from the PRECIS WG.]



On Nov 9, 2012, at 10:30 AM, Dean Willis wrote:

> 
> AD comment:
> 
> Section 11.3: What character set is allowed for passwords? What if something is URL escaped - what's going to match? I'm sure you can copy from somewhere else, not quite sure what's best though.
> 
> 
> Since we're doing passwords in a POST form, I don't know that URL escaping is an issue. Do we have other stringprep issues? Is there something we can crib from elsewhere for this spec?
> 
> --
> Dean
>

v2.23.0 | Report a Bug | By Email