UTF8 username/password issue summary

To: "ietf-ssh%netbsd.org@localhost" <ietf-ssh%netbsd.org@localhost>
Subject: UTF8 username/password issue summary
From: Bill Sommerfeld <sommerfeld%sun.com@localhost>
Date: Sun, 06 Mar 2005 16:21:19 -0600

The current userauth document specifies the use of unnormalized UTF-8 on
the wire and recommends the use of saslprep to normalize them on the server
end.  This allows for considerable flexibility in implementation; for
passwords, you may even be able to store per-user hints for this
normalization.  Ultimately, however, local OS considerations on the server
will dominate and may constrain what can be done on the server.

There was considerable discussion of this approach in Jan/Feb of this year.

My conclusion from this discussion is that there is no known technical problem with a "just send unnormalized utf8" approach; however,
because there's a general shortage of implementation experience 
with non-USASCII usernames and passwords, I don't have a whole lot of confidence that it won't need tweaks in the future.  

As an aside, the userauth doc mentions the normalization issue for user 
names only in passing (during the password discussion).

						- Bill

Prev by Date: Re: Where to find protocol spec for SCP under SSH-1
Next by Date: Re: Key lengths for algorithms for variable-length keys
Previous by Thread: Where to find protocol spec for SCP under SSH-1
Next by Thread: MP3 audio streaming for IETF 62
Indexes:

Home | Main Index | Thread Index | Old Index