Re: Normalization of passwords in SASL and SSH

To: Sam Hartman <hartmans-ietf%mit.edu@localhost>
Subject: Re: Normalization of passwords in SASL and SSH
From: Damien Miller <djm%mindrot.org@localhost>
Date: Thu, 02 Dec 2004 14:25:57 +1100

Sam Hartman wrote:
> 
> Hi.  A discussion in the IETF 61 secsh meeting re-opened the issue of
> how to handle password normalization for passwords received by the
> server.  The ssh protocol had adopted a significantly different
> solution to this problem than the sasl plain mechanism.  This concerns
> me; I want to either solve the problem of password normalization in a
> consistent manner or to understand why the ssh requirements are
> different than the sasl requirements.  

What are the threats that this normalisation is intended to address?

I'm wary of any recommendations to substantively change the protocol,
especially ones that require implementation of a 91-page RFC
(stringprep) + SASLprep in the privileged path of a server.

-d

Follow-Ups:
- Re: Normalization of passwords in SASL and SSH
  - From: Sam Hartman
- Re: Normalization of passwords in SASL and SSH
  - From: der Mouse

References:
- Normalization of passwords in SASL and SSH
  - From: Sam Hartman

Prev by Date: I-D ACTION:draft-ietf-secsh-architecture-19.txt
Next by Date: Re: Normalization of passwords in SASL and SSH
Previous by Thread: Re: Normalization of passwords in SASL and SSH
Next by Thread: Re: Normalization of passwords in SASL and SSH
Indexes:

Home | Main Index | Thread Index | Old Index