IETF Logo Mail Archive

Re: i18n and RADIUS

Bernard Aboba <bernard_aboba@hotmail.com> Sat, 10 September 2011 06:24 UTC

Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@ietfa.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8768F21F8715 for <ietfarch-radext-archive-IeZ9sae2@ietfa.amsl.com>; Fri, 9 Sep 2011 23:24:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.338
X-Spam-Level:
X-Spam-Status: No, score=-102.338 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpAnc9Te8PQb for <ietfarch-radext-archive-IeZ9sae2@ietfa.amsl.com>; Fri, 9 Sep 2011 23:24:56 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 9011421F86E0 for <radext-archive-IeZ9sae2@lists.ietf.org>; Fri, 9 Sep 2011 23:24:56 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.76 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1R2Guz-000414-2a for radiusext-data0@psg.com; Sat, 10 Sep 2011 06:19:57 +0000
Received: from blu0-omc1-s38.blu0.hotmail.com ([65.55.116.49]) by psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from <bernard_aboba@hotmail.com>) id 1R2GrI-0003v5-K7 for radiusext@ops.ietf.org; Sat, 10 Sep 2011 06:16:08 +0000
Received: from BLU152-W25 ([65.55.116.7]) by blu0-omc1-s38.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 9 Sep 2011 23:16:03 -0700
Message-ID: <BLU152-W25223C97B2AA7EE62AADE193000@phx.gbl>
Content-Type: multipart/alternative; boundary="_8b928907-2eee-4bcf-9c2a-97b629d002c0_"
X-Originating-IP: [70.88.131.169]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
Subject: Re: i18n and RADIUS
Date: Fri, 09 Sep 2011 23:16:03 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 10 Sep 2011 06:16:03.0730 (UTC) FILETIME=[1E55B720:01CC6F81]
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk
List-ID: <radiusext.ops.ietf.org>

It has occurred to me that the most fundamental mistake of RFC 4282 is the assertion that there is a single NAI encoding for every protocol.
In reality, the protocol in which the NAI is encoded makes the decision about the encoding.  Where the protocol is 8-bit clean and requires UTF-8 (both EAP and RADIUS fall in this category),   the encoding described in RFC 4282 does not apply.   EAP and RADIUS implementations can and do carry UTF-8 natively.  The only time a conversion from a U label to an A label would be required would be for a DNS lookup such as what is envisaged in the Dynamic Discovery document. 
That said, issues of internationalization could come up within specific EAP methods.  However,   not all methods utilize the same internationalization mechanisms.  For example, none of the authentication methods defined in RFC 3748 specify the use of SASLPREP, and as far as I am aware, no implementations of those methods (e.g. EAP-MD5) use it.   There is substantial variety in EAP methods defined elsewhere (compare say, EAP-EKE with EAP-TLS and EAP-MS-CHAP, for example).  
Given this, the following sentence in RFC 3748 Section 5 (quoted by PRECIS)  is not just inappropriate (the choice should be left to the method spec), but actually misleading because the methods defined in RFC 3748 do not in fact use SASLPREP. 
   EAP methods MAY support authentication based on shared secrets.  If
   the shared secret is a passphrase entered by the user,
   implementations MAY support entering passphrases with non-ASCII
   characters.  In this case, the input should be processed using an
   appropriate stringprep [RFC3454] profile, and encoded in octets using
   UTF-8 encoding [RFC2279].  A preliminary version of a possible
   stringprep profile is described in [SASLPREP].









 

Alan DeKok said:
  As discussed at the last IETF, RFC 4282 has some problems.  My draft
(expired) describes the issues, and proposes a way to address them.

  The Precis working group is looking at i18n issues across a wide
variety of protocols.  The framework document applies to RADIUS and to
EAP, though neither is explicitly mentioned:



http://tools.ietf.org/id/draft-blanchet-precis-framework-02.txt

  I'd recommend reading Section 3, which defines stringprep "classes"
for names and secrets.  Section 10 deals with "confusable" strings, and
says that applications need to find a way to deal with them.

  It looks like the work in Precis will allow RADIUS and EAP to continue
with their current way of dealing with names and passwords.  Since
neither RADIUS nor EAP show strings to users, "confusable" strings can
be avoided in the protocol transport.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email