[precis] Fwd: Re: [http-auth] http-auth BOF
Peter Saint-Andre <stpeter@stpeter.im> Mon, 17 September 2012 15:43 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A9D21F867E for <precis@ietfa.amsl.com>; Mon, 17 Sep 2012 08:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.624
X-Spam-Level:
X-Spam-Status: No, score=-102.624 tagged_above=-999 required=5 tests=[AWL=-0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Q8bqTX0gsI2 for <precis@ietfa.amsl.com>; Mon, 17 Sep 2012 08:43:59 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 0AB7121F8667 for <precis@ietf.org>; Mon, 17 Sep 2012 08:43:59 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id A3C0740D52 for <precis@ietf.org>; Mon, 17 Sep 2012 09:44:57 -0600 (MDT)
Message-ID: <5057453D.1040502@stpeter.im>
Date: Mon, 17 Sep 2012 09:43:57 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: "precis@ietf.org" <precis@ietf.org>
References: <50569984.10301@it.aoyama.ac.jp>
In-Reply-To: <50569984.10301@it.aoyama.ac.jp>
X-Enigmail-Version: 1.4.4
X-Forwarded-Message-Id: <50569984.10301@it.aoyama.ac.jp>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Subject: [precis] Fwd: Re: [http-auth] http-auth BOF
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/precis>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2012 15:43:59 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Of interest regarding SASLprep... - -------- Original Message -------- Subject: Re: [http-auth] http-auth BOF Date: Mon, 17 Sep 2012 12:31:16 +0900 From: "Martin J. Dürst" <duerst@it.aoyama.ac.jp> Organization: Aoyama Gakuin University To: KIHARA, Boku <bkihara.l@gmail.com> CC: Peter Saint-Andre <stpeter@stpeter.im>, "http-auth@ietf.org" <http-auth@ietf.org> I wanted to make exactly the same comment as Mr. Kihara. To give a simple example, when inputting the character/word "flower", most Japanese would type the four keys 'h', 'a', 'n', 'a', which simply corresponds to the pronunciation of that word, "hana". This is then converted to syllabic writing "はな", and from there to the actual character for flower, "花", as it would be used in everyday writing. However, there are other characters that are pronounced "hana", such as "華" (a variant character for flower), "鼻" (nose), and so on. To select the correct character, various keys (space, arrow keys, number keys, return,...) are used. To make sure the right character is selected, the user has to *visually* check (-> shoulder attack) and confirm it. As a result, as Mr. Kihara already explained, these characters are not used for passwords in Japanese. Because the same homophone problem for Han characters applies in Chinese and Korean, the situation is the same there. In terms of entropy, Han characters would indeed contribute a lot, but because they require visual checking when entering, they are in general not suited for passwords. Regards, Martin. On 2012/09/15 3:35, KIHARA, Boku wrote: > 2012/9/15 Peter Saint-Andre<stpeter@stpeter.im>: >> On 9/14/12 9:09 AM, KIHARA, Boku wrote: >>> <off-topic> I heard a discussion about i18n of passwords: >>> about Chinese characters (of course used in Japan too), there >>> are many characters that have the same pronunciations so they >>> are input by input method software. Users type sentences in >>> latin characters (such as pinyin and roma-ji) then pick >>> intended characters from candidates. When inputting passwords, >>> typically input method software are disabled and userstype >>> unconverted characters. As a result, passwords become within >>> ascii range. The problem might be more noticeable in non-ascii >>> locales where characters are input directly from keyboards. >> >> Hello Kihara-san, >> >> Could you please clarify what you mean by "unconverted >> characters"? It seems that you mean these are characters from the >> ASCII range not converted into their CJ equivalents, but I'd like >> to make sure. > > Exactly. I meant they are ASCII characters that are not processed > by input method software. In Japan, the input process is often > called "Kanji Henkan" (Chinese characters conversion) so I used the > word. > >>> By the way, I think i18ning passwords in at least CJ locales >>> will cause another problem that conversion process can be >>> vulnerable to shoulder attacks :< >> >> When you say "i18ning passwords", do you mean allowing >> characters outside the ASCII range? >> >> Of course, we like to enable lots of entropy in passwords, so >> limiting the allowable characters to the ASCII range would be at >> odds with that desire. > > By all means passwords should become more secure and allowing > non-ASCII characters is very good way. I only intended to notice > that there may be issues to be solved and I am sorry if my message > was misleading. > >> By the way, some of these considerations are relevant to SASLprep >> (RFC 4013) and its proposed replacement >> (draft-melnikov-precis-saslprepbis), so I hope you will review >> the latter specification and provide feedback on the >> precis@ietf.org and kitten@ietf.org lists. :) > > Sure. I hope my little knowledge can help...:< > > Regards, Boku KIHARA > _______________________________________________ http-auth mailing > list http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBXRT0ACgkQNL8k5A2w/vyBnQCgqHqmsFLuNJIPqa6YzeQVHotc 8xMAni0OJ+lRavA1CHfc5m+H5imQ+87U =+6Ex -----END PGP SIGNATURE-----
- [precis] Fwd: Re: [http-auth] http-auth BOF Peter Saint-Andre