IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Normalization of passwords in SASL and SSH
>> Hi. A discussion in the IETF 61 secsh meeting re-opened the issue
>> of how to handle password normalization for passwords received by
>> the server.
As an implementer, writing code for use on systems where usernames and
passwords as handled by the OS are octet sequences rather than
character sequences, I think that any such specification is a mistake.
If such language survives, I will have to either blow off conformance
to that aspect of the spec or simply reject non-ASCII usernames and
passwords out of hand, since for non-ASCII strings I have no way, no
way whatsoever, to tell whether the octet sequence stored in the OS's
database corresponds in any useful way to the character sequence I get
on the wire. (The information regarding what, if any, characters those
octet sequences are intended to correspond to quite probably is not
stored anywhere except human minds.)
Similar remarks apply to file names.
Not to mention that, as Damien points out, any such normalization, even
on systems where usernames and passwords _are_ character sequences,
involves a lot of complexity in a rather critical path.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents.montreal.qc.ca@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Home |
Main Index |
Thread Index |
Old Index