Re: [sasl] Last Call: draft-ietf-sasl-scram

From: Arnt Gulbrandsen <arnt at gulbrandsen.priv.no>
To: ietf at ietf.org
Cc: John C Klensin <john-ietf at jck.com>, simon at josefsson.org, sasl at ietf.org, Kurt.Zeilenga at isode.com, Nicolas Williams <Nicolas.Williams at sun.com>
Date: Tue, 22 Sep 2009 19:29:58 +0200
In-reply-to: <20090922164242.GP1033 at Sun.COM>
References: <20090914135110.AEED13A67FE at core3.amsl.com> <87r5u8r3i3.fsf at mocca.josefsson.org> <F71284B7686AFA8BA08A413F at PST.JCK.COM> <9BB65FCF-4AAE-48E3-B9C4-92D4EA67AD7E at Isode.com> <073C47FCFB12091A9BD76767 at PST.JCK.COM> <808FD6E27AD4884E94820BC333B2DB773C096525BC at NOK-EUMSG-01.mgdnok.nokia.com> <FBBAB2774AC76548C60B4789 at PST.JCK.COM> <20090922164242.GP1033 at Sun.COM>

IMO, this is a close relative of a different problem, one that's old andwell-understood: Characters that shift to different keys when you crossa boundary.

I (now) live in Germany and come from Norway. Germany has Y and Zswapped. Shortly after I started travelling to Germany, I stopped usingY and Z in passwords. They were too much trouble. This is (at leastamong the people I know) the common solution.

I may well be making a silly mistake, but my gut says that thecompatibility mappings will not have a serious enough impact onpassword entropy that we must make an effort to migrate fromSASLprep.

I agree, because I think that if a character doesn't have a reliable,unchanging representation, then using that character in a passwordtoday is begging for trouble. Can't be typed on the wrong keyboard/OK,can't be transmitted through a program that happens to normalize theright/wrong way, etc.


Arnt

References:
- Re: Last Call: draft-ietf-sasl-scram
  - From: Simon Josefsson
- Re: Last Call: draft-ietf-sasl-scram
  - From: John C Klensin
- Re: Last Call: draft-ietf-sasl-scram
  - From: Kurt Zeilenga
- Re: Last Call: draft-ietf-sasl-scram
  - From: John C Klensin
- RE: Last Call: draft-ietf-sasl-scram
  - From: Pasi.Eronen
- RE: Last Call: draft-ietf-sasl-scram
  - From: John C Klensin
- Re: [sasl] Last Call: draft-ietf-sasl-scram
  - From: Nicolas Williams

Prev by Date: Re: [IAB] [rfc-i] path forward with RFC 3932bis
Next by Date: Re: China venue survey
Previous by thread: Re: [sasl] Last Call: draft-ietf-sasl-scram
Next by thread: RE: Last Call: draft-ietf-sasl-scram
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: [sasl] Last Call: draft-ietf-sasl-scram

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.