Re: Normalization of passwords in SASL and SSH

To: ietf-ssh%NetBSD.org@localhost
Subject: Re: Normalization of passwords in SASL and SSH
From: der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>
Date: Wed, 1 Dec 2004 23:10:06 -0500 (EST)

>> Hi.  A discussion in the IETF 61 secsh meeting re-opened the issue
>> of how to handle password normalization for passwords received by
>> the server.

As an implementer, writing code for use on systems where usernames and
passwords as handled by the OS are octet sequences rather than
character sequences, I think that any such specification is a mistake.
If such language survives, I will have to either blow off conformance
to that aspect of the spec or simply reject non-ASCII usernames and
passwords out of hand, since for non-ASCII strings I have no way, no
way whatsoever, to tell whether the octet sequence stored in the OS's
database corresponds in any useful way to the character sequence I get
on the wire.  (The information regarding what, if any, characters those
octet sequences are intended to correspond to quite probably is not
stored anywhere except human minds.)

Similar remarks apply to file names.

Not to mention that, as Damien points out, any such normalization, even
on systems where usernames and passwords _are_ character sequences,
involves a lot of complexity in a rather critical path.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Normalization of passwords in SASL and SSH
  - From: Sam Hartman
- Re: Normalization of passwords in SASL and SSH
  - From: Damien Miller

Prev by Date: Re: Normalization of passwords in SASL and SSH
Next by Date: Re: Normalization of passwords in SASL and SSH
Previous by Thread: Re: Normalization of passwords in SASL and SSH
Next by Thread: Re: Normalization of passwords in SASL and SSH
Indexes:

Home | Main Index | Thread Index | Old Index