IETF Logo Mail Archive

Re: [precis] Review of draft-melnikov-precis-saslprepbis-03

"Matt Miller (mamille2)" <mamille2@cisco.com> Fri, 21 September 2012 14:55 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B15821F8820 for <precis@ietfa.amsl.com>; Fri, 21 Sep 2012 07:55:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.26
X-Spam-Level:
X-Spam-Status: No, score=-10.26 tagged_above=-999 required=5 tests=[AWL=-0.261, BAYES_00=-2.599, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7AV9DzsIkNPL for <precis@ietfa.amsl.com>; Fri, 21 Sep 2012 07:55:02 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 816A521F881D for <precis@ietf.org>; Fri, 21 Sep 2012 07:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7962; q=dns/txt; s=iport; t=1348239302; x=1349448902; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Vhq2gTIslVMtCdOIFex7Ca42tHm3ZvpHTHVkaJ7fPdU=; b=mlBBk4rmBHaDUg7GntKYomH9n6GgZRAJgNURqBWM94v5WqxPCW0yYzJQ CggVeRFGYCXz+/I48hrzUb8aVNIFxXfG55jWk+W7Xpl/Db1TaGEyTD7IH Un7qI3KAH3mMiOCux6e0X3ql2lOZa6V/0qDa6XmTs2wAuFEyWmZ8tTSUh Q=;
X-Files: smime.p7s, PGP.sig : 2214, 535
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAIp+XFCtJV2b/2dsb2JhbABFvhGBCIIgAQEBAwESAV0JBQsCAQgYGBYCMCUCBA4FDhSHXQYLmSegF4scgwiCPmADjmqBIIVagRWNJIFpgmeBWiIb
X-IronPort-AV: E=Sophos; i="4.80,463,1344211200"; d="sig'?p7s'?scan'208"; a="124030727"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-3.cisco.com with ESMTP; 21 Sep 2012 14:55:02 +0000
Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q8LEt1ZA030653 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 21 Sep 2012 14:55:01 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.219]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.02.0318.001; Fri, 21 Sep 2012 09:55:01 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Thread-Topic: [precis] Review of draft-melnikov-precis-saslprepbis-03
Thread-Index: AQHNlP+WokQ1fNsRykSn+UGgjKzev5ePLHaAgAAcaQCABfMjgA==
Date: Fri, 21 Sep 2012 14:55:01 +0000
Message-ID: <27C17524-DB6B-45AB-90D2-38A77CAD91F2@cisco.com>
References: <20120914162208.30845.65648.idtracker@ietfa.amsl.com> <50535A6B.8010702@stpeter.im> <8FD6CBCE-60CD-4049-A0E6-B2388D6919DF@cisco.com> <817D19D4-1615-440A-8F75-DEAEFE0BEA58@isode.com> <5057821A.1050903@stpeter.im>
In-Reply-To: <5057821A.1050903@stpeter.im>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail 1.3.3
x-originating-ip: [64.101.72.40]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19200.001
x-tm-as-result: No--37.067700-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Apple-Mail-6-564922190"
MIME-Version: 1.0
Cc: "precis@ietf.org" <precis@ietf.org>
Subject: Re: [precis] Review of draft-melnikov-precis-saslprepbis-03
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/precis>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2012 14:55:03 -0000

On Sep 17, 2012, at 14:03, Peter Saint-Andre wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 9/17/12 12:21 PM, Alexey Melnikov wrote:
> 
>> On 17 Sep 2012, at 19:09, "Matt Miller (mamille2)" 
>> <mamille2@cisco.com> wrote:
> 
> [I agree with the other points that Matt raised. Thanks for the review!]
> 
>>> * 3.2 (Passwords - Preparation) :: I do wonder about the
>>> rationale for step 2) (map all non-ASCII space to ASCII space).
>>> I myself have not run into conditions where this would matter,
>>> but I mostly deal with US-based consumers with passwords almost
>>> exclusively in the ASCII range.  On the surface, it seems a bit
>>> contradictory in principle to the "no bidi rule" rationale that
>>> is included. I'm not advocating for retention or removal of step
>>> 2), but rather for providing a rationale (one way or the other).
>> 
>> This rule was always in SASLPrep, so this is trying to preserve
>> some sort of backward compatibility. Whether it is a good enough
>> reason to keep the rule - I don't know.
> 

I just thought it a bit odd that there's a nice big paragraph explaining how a bidi rule would reduce entropy, but the mapping of all non-ASCII space to ASCII space (which would also reduce entropy, theoretically) is a single sentence.

However, I'm willing to more than happy to suspend my perceptions over this if others are content with the current text.

> This rule applied to stringprep via Appendix B.1 in RFC 3454:
> 
> http://tools.ietf.org/html/rfc3454#appendix-B.1
> 
> In the interest of full disclosure, the code points involved were:
> 
> U+00AD SOFT HYPHEN
> U+034F COMBINING GRAPHEME JOINER
> U+1806 MONGOLIAN TODO SOFT HYPHEN
> U+180B MONGOLIAN FREE VARIATION SELECTOR ONE
> U+180C MONGOLIAN FREE VARIATION SELECTOR TWO
> U+180D MONGOLIAN FREE VARIATION SELECTOR THREE
> U+200B ZERO WIDTH SPACE
> U+200C ZERO WIDTH NON-JOINER
> U+200D ZERO WIDTH JOINER
> U+2060 WORD JOINER
> U+FE00 VARIATION SELECTOR-1
> [...other variation selectors here...]
> U+FE0F VARIATION SELECTOR-13
> U+FEFF ZERO WIDTH NO-BREAK SPACE
> 
> As far as I can see, we have two alternatives for SASLprep-bis:
> 
> 1. Continue to map those code points to nothing.
> 
> 2. Disallow those code points by subclassing the FreeClass.
> 
> I don't have a strong feeling either way, although mapping to nothing
> has always struck me as a wimpy approach and I'd probably prefer to
> explicitly disallow unwanted code points...
> 

Well, about the first 1/3 of those are also listed in Appendix C.1.2, which were mapped to U+0020 in RFC 4013.

Specifically:

U+00A0 NO-BREAK SPACE
U+1680 OGHAM SPACE MARK
U+2000 EN QUAD
U+2001 EM QUAD
U+2002 EN SPACE
U+2003 EM SPACE
U+2004 THREE-PER-EM SPACE
U+2005 FOUR-PER-EM SPACE
U+2006 SIX-PER-EM SPACE
U+2007 FIGURE SPACE
U+2008 PUNCTUATION SPACE
U+2009 THIN SPACE
U+200A HAIR SPACE
U+200B ZERO WIDTH SPACE
U+202F NARROW NO-BREAK SPACE
U+205F MEDIUM MATHEMATICAL SPACE
U+3000 IDEOGRAPHIC SPACE

For the purposes of passwords, I don't really know if mapping {Zs} code points to U+0020 is a good idea or not.  On one side, more code points means more options (good IMO), but on the other hand I doubt these are values most "password" text entry widgets make easy (or even possible) to input in a predictable manner.

As for the rest of B.1, I'm more inclined to disallow (which I think is the case for FreeClass now) than map to nothing.


- m&m

Matt Miller - <mamille2@cisco.com>
Cisco Systems, Inc.

v2.23.0 | Report a Bug | By Email