Re: Normalization of passwords in SASL and SSH

To: Bill Sommerfeld <sommerfeld%sun.com@localhost>
Subject: Re: Normalization of passwords in SASL and SSH
From: Sam Hartman <hartmans-ietf%mit.edu@localhost>
Date: Mon, 29 Nov 2004 17:26:33 -0500

>>>>> "Bill" == Bill Sommerfeld <sommerfeld%sun.com@localhost> writes:

    Bill> (WG chair hat off.  just my questions) Why should these
    Bill> proposed rules apply only to passwords and not also to login
    Bill> names?  It seems like the core justification for server side
    Bill> normalization -- that they're often stored in database
    Bill> maintained by a subsystem not under the control of the ssh
    Bill> server implementor -- also applies to usernames.

SASL believes they should apply to usernames as well.
Kerberos has adopted the same position.

    Bill> Is it ever the case that normalization functions would
    Bill> change the human-readable representation meaningfully?
    Bill> Examples?

I'd expect a normalization profile for passwords to remove direction
markers.  I'd expect it to map all forms of white space together.
You'd lose the difference between say a 1 em space and u+0x20, which
would be visible.  I'd say anything outside of these sorts of examples
would be a bad idea in a stringprep profile, especially for a security
application.

References:
- Normalization of passwords in SASL and SSH
  - From: Sam Hartman
- Re: Normalization of passwords in SASL and SSH
  - From: Bill Sommerfeld

Prev by Date: I-D ACTION:draft-ietf-secsh-transport-21.txt
Next by Date: Re: Normalization of passwords in SASL and SSH
Previous by Thread: Re: Normalization of passwords in SASL and SSH
Next by Thread: Re: Normalization of passwords in SASL and SSH
Indexes:

Home | Main Index | Thread Index | Old Index