Re: [Emu] Revised sections for Issue #18 (Internationalization)

["Joseph Salowey (jsalowey)" <jsalowey at cisco.com>]

I'd like to see if we can close on this issue soon.  The main use case
we are targeting is one where the password is sent to the server.  We do
not know how the server will do the comparison.   Given that this is a
requirement document I don't think we need to have the full solution
described.  Can you two work out some proposed text to go in the
requirements document on this issue with usernames and passwords?  

Thanks,

Joe 

> -----Original Message-----
> From: emu-bounces at ietf.org [mailto:emu-bounces at ietf.org] On 
> Behalf Of Simon Josefsson
> Sent: Friday, September 25, 2009 3:56 AM
> To: Alan DeKok
> Cc: emu at ietf.org
> Subject: Re: [Emu] Revised sections for Issue #18 
> (Internationalization)
> 
> Alan DeKok <aland at deployingradius.com> writes:
> 
> > Simon Josefsson wrote:
> >> Right.  My point is that the one needs to weight this 
> approach to a 
> >> system which does not use normalization but instead use 
> >> internationalized comparison rules.
> >
> >   How do you do internationalized comparisons on hashed passwords?
> >
> >   All you have is the hash.  And if the passwords input to the hash 
> > aren't the same (i.e. non-normalized), then you're 
> *guaranteed* that 
> > the hashes won't match.
> 
> Right.  Hashed passwords is one example of when 
> internationalized comparisons wouldn't work.  I'm sorry if 
> this wasn't clear in my earlier note.
> 
> However there is a risk that normalization _introduce_ 
> differences: if two systems use different normalization 
> algorithms that leads to different outputs for the same 
> input, the hashes won't match either.
> 
> /Simon
> _______________________________________________
> Emu mailing list
> Emu at ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>