Re: Normalization of passwords in SASL and SSH

[Sam Hartman <hartmans-ietf%mit.edu@localhost>]

>>>>> "Damien" == Damien Miller <djm%mindrot.org@localhost> writes:

    Damien> Sam Hartman wrote:
    >>  Hi.  A discussion in the IETF 61 secsh meeting re-opened the
    >> issue of how to handle password normalization for passwords
    >> received by the server.  The ssh protocol had adopted a
    >> significantly different solution to this problem than the sasl
    >> plain mechanism.  This concerns me; I want to either solve the
    >> problem of password normalization in a consistent manner or to
    >> understand why the ssh requirements are different than the sasl
    >> requirements.

    Damien> What are the threats that this normalisation is intended
    Damien> to address?

This isn't about threats so much as interoperability.  From an
internationalization standpoint, we desire that if a user enters their
password it will work regardless of what OS and client software they
used to enter their password.  Doing so requires normalization.


Note that stringprep is already required by IDN.  I suspect that we're
going to end up needing implementations of IDN suitable for running in
the TCB of a host even if ssh implementations do not end up needing
IDN on the server side.


Also, the normalization step does not strictly need to run in the
privilege domain of the rest of the authenication component.
Normalization is an operation on a string, yielding a string,
requiring access only to a variety of tables.  You want to isolate the
normalization performed on behalf of one authentication context from
that done on behalf of another context.  

--Sam