Re: WG Last Call: draft-ietf-sasl-scram-02

[Peter Saint-Andre <stpeter@xxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/13/09 8:17 PM, Tom Yu wrote:
> This message commences a WG Last Call on the following Internet-Draft:
> 
> 	Title           : Salted Challenge Response (SCRAM) SASL Mechanism

Although the WGLC is officially over, I have a question about the use of
SASLprep.

The SCRAM I-D (draft-ietf-sasl-scram-04) says the following:

   Before sending the username to the server, the client MUST
   prepare the username using the "SASLPrep" profile [RFC4013]
   of the "stringprep" algorithm [RFC3454].

In XMPP, we have traditionally used a different stringprep profile
("nodeprep") to prepare usernames. As far as I can see, nodeprep is more
strict than SASLprep. Therefore, any username which is prepared
according to nodeprep would be safe according to SASLprep.

Instead of requiring the application of SASLprep, I would prefer wording
such as this:

   Before sending the username to the server, the client MUST
   ensure that the username is formatted such that the "SASLPrep"
   profile [RFC4013] of the "stringprep" algorithm [RFC3454] can be
   applied to it without failing.

(We have similar wording in RFC 3920 and in rfc3920bis.)

Peter

- --
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqAfIkACgkQNL8k5A2w/vwYrwCZATJzn3RcK+Cjs996FnIIr7El
3pwAnR95RzWJWcp6TDv91Er44bNOVa5m
=9AOc
-----END PGP SIGNATURE-----