Re: Normalization of passwords in SASL and SSH

To: nisse%lysator.liu.se@localhost (Niels Möller)
Subject: Re: Normalization of passwords in SASL and SSH
From: Sam Hartman <hartmans-ietf%mit.edu@localhost>
Date: Mon, 29 Nov 2004 15:39:09 -0500

>>>>> "Niels" == Niels Möller <nisse%lysator.liu.se@localhost> writes:


    Niels> If I understand your proposal, as it applies to ssh, you're
    Niels> suggesting that we should

    Niels> 1. Strike the new text on normalization, in effect
    Niels> reverting to what was in older drafts
    Niels> (e.g. draft-ietf-secsh-userauth-18.txt says "Note that the
    Niels> password is encoded in ISO-10646 UTF-8. It is up to the
    Niels> server how it interprets the password and validates it
    Niels> against the password database.").

    Niels> 2. Add some new text saying that we recommend that systems
    Niels> supporting non-ascii passwords always normalize passwords
    Niels> and usernames whenever they are added to the database, or
    Niels> compared (with or without hashing) to existing entries in
    Niels> the database.

And say that ssh implementations that both store the passwords and
compare them SHOULD use saslprep for normalization.

References:
- Normalization of passwords in SASL and SSH
  - From: Sam Hartman
- Re: Normalization of passwords in SASL and SSH
  - From: Niels Möller

Prev by Date: Re: Normalization of passwords in SASL and SSH
Next by Date: Re: Normalization of passwords in SASL and SSH
Previous by Thread: Re: Normalization of passwords in SASL and SSH
Next by Thread: Re: Normalization of passwords in SASL and SSH
Indexes:

Home | Main Index | Thread Index | Old Index