[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-sasl-rfc2222bis-02 comments

To: "Kurt D. Zeilenga" <Kurt@xxxxxxxxxxxx>
Subject: Re: draft-ietf-sasl-rfc2222bis-02 comments
From: Alexey Melnikov <Alexey.Melnikov@xxxxxxxxx>
Date: Sat, 18 Oct 2003 20:56:55 +0100
Cc: Hallvard B Furuseth <h.b.furuseth@xxxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <> <> <>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Kurt D. Zeilenga wrote:

At 04:52 AM 10/8/2003, Alexey Melnikov wrote:
In order to avoid noninteroperability due to differing normalizations, when a mechanism specifies that a string authentication identity or password used as input to a cryptographic function (or used for comparison) it SHOULD specify that the string first be prepared using the "SASLPrep" profile [SASLPrep], of the "stringprep" algorithm [StringPrep]. This should be done by both the client (upon getting user input or retrieving a value from configuration) and by the server (upon receiving the value from the client).
What's the point of this duplicate preparation?  Why not do it only
at the server side?
Because if the client doesn't do that, the hash calculated on the server will not match the one calculated on the client.
Alexey, the current text suggests that client (1) prep the
value before sending, the server then preps it (2) again
(before comparing it to the store value, which also should
be prep'ed (3) either before storing it or before each compare).

Ok, I am with you now.

IMHO, as a server writer, I would do (2) anyway. But of course this is my personal opinion.

However there is one case when all three may make sense. Imagine that there are two clients that use PLAIN. One of the prepares username/password, the other one doesn't. If the server also does preparation, it will be able to interoperate with both clients.


We need to REQUIRE that mechanisms specify how character strings
are to be prepared for comparison and RECOMMEND that they use
SASLprep for simple user names and passwords.

We should not suggest that mechanisms should do both (1) and
(2).  (1) and (3) OR (2) or (3) are sufficient to ensure
proper matching.

IMHO, this is a responsibility of the client, so I will clarify that. But I will add that the server "MAY prepare".

Alexey

__________________________________________
Isode Limited, http://www.isode.com

Cell: +44 7753759732

IETF standard related pages:
http://orthanc.ab.ca/mel/devel/Links.html

Personal Home Page: http://orthanc.ab.ca/mel
__________________________________________

Follow-Ups:
- Re: draft-ietf-sasl-rfc2222bis-02 comments
  - From: Sam Hartman
- Re: draft-ietf-sasl-rfc2222bis-02 comments
  - From: Alexey Melnikov

References:
- draft-ietf-sasl-rfc2222bis-02 comments
  - From: Hallvard B Furuseth
- Re: draft-ietf-sasl-rfc2222bis-02 comments
  - From: Alexey Melnikov
- Re: draft-ietf-sasl-rfc2222bis-02 comments
  - From: Kurt D. Zeilenga

Prev by Date: Re: draft-ietf-sasl-rfc2222bis-02 comments
Next by Date: Re: draft-ietf-sasl-rfc2222bis-02 comments
Previous by thread: Re: draft-ietf-sasl-rfc2222bis-02 comments
Next by thread: Re: draft-ietf-sasl-rfc2222bis-02 comments
Index(es):
- Date
- Thread