Re: WG Last Call: draft-ietf-sasl-scram-02

[Dave Cridland <dave@xxxxxxxxxxxx>]

On Mon Aug 10 21:01:13 2009, Peter Saint-Andre wrote:
> Instead of requiring the application of SASLprep, I would prefer  
> wording
> such as this:
>
>    Before sending the username to the server, the client MUST
>    ensure that the username is formatted such that the "SASLPrep"
>    profile [RFC4013] of the "stringprep" algorithm [RFC3454] can be
>    applied to it without failing.
Although initially, my thought was this wasn't needed, I wondered  
about the consequences.

It seems to me that, unless we assume that both client and server  
will always have precisely the same concept of "SASLprep", then one  
would assume the server would always have to apply SASLprep anyway.

SASLprep is, also bound to change - either gradual changes in Unicode  
will cause problems sufficient to case a rewrite, or we'll change  
SASLprep itself to be a property-based, instead of table-based,  
mechanism, and the gradual changes will filter through to  
implementations.

I'm inclined, therefore, to suggest that not only is this text  
reasonable, but the "MUST" can probably be reduced to a SHOULD.

Dave.
--
Dave Cridland - mailto:dave@xxxxxxxxxxxx - xmpp:dwd@xxxxxxxxxxxxxxxxx
 - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
 - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade