Re: Last Call: draft-ietf-sasl-scram

From: Kurt Zeilenga <Kurt.Zeilenga at Isode.com>
To: John C Klensin <john-ietf at jck.com>
Cc: Simon Josefsson <simon at josefsson.org>, ietf at ietf.org, sasl at ietf.org
Date: Tue, 15 Sep 2009 15:28:01 +0100
In-reply-to: <F71284B7686AFA8BA08A413F at PST.JCK.COM>
References: <20090914135110.AEED13A67FE at core3.amsl.com> <87r5u8r3i3.fsf at mocca.josefsson.org> <F71284B7686AFA8BA08A413F at PST.JCK.COM>

On Sep 15, 2009, at 2:41 PM, John C Klensin wrote:



--On Tuesday, September 15, 2009 10:55 +0200 Simon Josefsson
<simon at josefsson.org> wrote:

  Personally, in
the long term I would prefer to deprecate SASLprep in favor of
Net-UTF-8 (i.e., RFC 5198) for use in SASL applications.  I
believe "SHOULD use SASLprep" in SCRAM is a reasonable
trade-off considering these factors.


For whatever it is worth, I agree with this analysis.  I'm not
sure that RFC 5198 is an adequate substitute for SASLprep,

I am quite sure that RFC 5198 is not an adequate substitute forSASLprep as used in SCRAM to prepare usernames and passwords for(direct or indirect) comparison. Net-UTF8 is not designed to supportcomparison of user names and passwords composed of Unicode characters,but for the transmission of text.

but
it is far better than unrestricted UTF-8 (which, IMO, we should
no longer be recommending in any protocol that requires
comparison of strings).

Because of the unrestricted UTF-8 problem, and without taking a
position on deprecating SASLprep, my inclination would be to
strengthen Simon's proposed requirement a bit to "MUST use UTF-8
and SHOULD use SASLprep or at least Net-UTF-8" or its
equivalent.

I strongly oppose such an 'or' as SASLprep and Net-UTF-8 usesdifferent Unicode normalization algorithms. Such an or would lead totwo classes of implementations (or modes of operation) that would notinteroperate.

I believe the intent of the SASL WG was for SASLprep to be used herein accordance with RFC 4422. If folks believe that wasn't the intentof SASL WG, or believe consensus of the SASL WG is unclear here, the I-D ought to be remanded to the WG for a consensus determination.


Alternately, I believe that any string that would successfully
come out of SASLprep would conform to Net-UTF-8, i.e., that the
set of valid SASLprep strings is a proper subset of the set of
valid Net-UTF-8 strings.   If that were true -- and someone with
significant Unicode normalization and SASLprep
knowledge/experience would need to verify it-- then "MUST use
Net-UTF-8 [RFC 5198] and SHOULD use SASLprep" would be an even
better formulation (perhaps with a note about that subset
relationship).

RFC 5198 says 'all character sequences SHOULD be normalized accordingto Unicode normalization form "NFC" (see Section 3).'RFC 4013 says 'This profile specifies using Unicode normalization formKC, as described in Section 4 of [StringPrep].'


   john




_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: Last Call: draft-ietf-sasl-scram
  - From: John C Klensin
- Re: [sasl] Last Call: draft-ietf-sasl-scram
  - From: Nicolas Williams

References:
- Re: Last Call: draft-ietf-sasl-scram
  - From: Simon Josefsson
- Re: Last Call: draft-ietf-sasl-scram
  - From: John C Klensin

Prev by Date: Re: Last Call: draft-ietf-sasl-scram
Next by Date: Re: Last Call: draft-ietf-sasl-scram (Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism) to Proposed Standard
Previous by thread: Re: Last Call: draft-ietf-sasl-scram
Next by thread: Re: [sasl] Last Call: draft-ietf-sasl-scram
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Last Call: draft-ietf-sasl-scram

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.