[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Future of SASLprep

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: Future of SASLprep
From: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>
Date: Tue, 12 Aug 2008 09:32:51 -0700
Cc: ietf-sasl@xxxxxxx
In-reply-to: <87tzdqa683.fsf_-_@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <ldvlki6dqqu.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <45F84F97.3B0D@xxxxxxxxxxxxxxxxx> <C51775F9-C7C7-435B-9D17-DDA0761DCBAB@xxxxxxxxx> <g7qd9g$lvi$1@xxxxxxxxxxxxx> <87tzdqa683.fsf_-_@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx



On 12 Aug 2008, at 3:16 AM, Simon Josefsson wrote:


"Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx> writes:

I'm fine with using SASLprep "everywhere" (incl. CRAM-MD5)
in SASL, or maybe switch to RFC 5198 "everywhere" when it
turns out that SASLprep is not implemented.


Given how poor SASLprep works in practice (*), I think this could be
discussed (but separately from CRAM-MD5).

The IDNAbis effort seems now well under way, and it seems clear we
cannot re-use much of their work since they abandon the StringPrep
approach.

I think we can re-use, at a minimum, their approach for moving awayfrom StringPrep.

In revising RFC 4013, as I noted during the IETF#72 session, was torework SASLprep such that algorithm would not rely, to the extentpossible, tables tied to a particular version of Unicode but insteadrely largely on Unicode properties. Like in the IDNAbis work, theremay be a need for an "exceptions" table. Hopefully use of the"exceptions" table will be limited to, well, truly exceptional cases.

It is my intent to SASprepbis to be produce the same output asSASLprep when used with Unicode 3.2.


-- Kurt

Passwords have quite different properties than domain names:
it is normal and encouraged for passwords to contain characters from
different scripts.  For example, some of the steps made by current
SASLprep reduces entropy (e.g., translates ª to a), which seems like a

property we failed to discuss at the time. We cannot re-use much ofthe

output from the IDNAbis design discussions either, because they are
based on different assumptions.

The discussions about Unicode versioning in RFC 5198 is better than in
SASLprep.  Some elements of SASLprep, such as prohibiting certain
non-printable characters is useful.

Possibly SASLprep2 could be a profile of RFC 5198: applying certain
algorithmic tests to restrict some characters on top of the RFC 5198
output.

/Simon

(*) Primarily because of the restriction to Unicode 3.2, but partly
because it hasn't been widely implemented.

Follow-Ups:
- Re: Future of SASLprep
  - From: Sam Hartman

References:
- WG Last Call: draft-ietf-sasl-crammd5-08.txt
  - From: Tom Yu
- Interoperability (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Frank Ellermann
- Re: Interoperability (was: WG Last Call: draft-ietf-sasl-crammd5-08.txt)
  - From: Kurt Zeilenga
- Re: Interoperability
  - From: Frank Ellermann
- Future of SASLprep
  - From: Simon Josefsson

Prev by Date: Re: Security
Next by Date: Re: tls-unique-using-prf considered harmful
Previous by thread: Re: Future of SASLprep
Next by thread: Re: Future of SASLprep
Index(es):
- Date
- Thread