FYI. Please join the [email protected] list if you'd like to follow the discussion. I'll report back to the PRECIS WG regarding any conclusions that emerge from the SAAG discussion.
-------- Original Message -------- Subject: [saag] internationalized passwords Date: Tue, 06 Sep 2011 14:29:29 -0600 From: Peter Saint-Andre <[email protected]> To: IETF Security Area Advisory Group <[email protected]> During a discussion related to SASLprep (RFC 4013) on the KITTEN WG list, Nico Williams pointed out that during standardization of the SCRAM SASL mechanism there would not have been consensus to say that passwords must be ASCII (and therefore must not contain Unicode code points outside the traditional ASCII-7 range): http://www.ietf.org/mail-archive/web/kitten/current/msg02741.html This issue has also come up in the PRECIS WG, which is working on a generic replacement for stringprep and therefore will (we hope) provide a framework that can be used to replace SASLprep as the recommended way to prepare and compare Unicode code points in passwords. In particular, see Sections 3.2 and 10.4 of draft-ietf-precis-framework-00, which define and provide some security considerations regarding a string class we're calling the "SecretClass": http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-3.2 http://tools.ietf.org/html/draft-ietf-precis-framework-00#section-10.4 As document editor of draft-ietf-precis-framework, I would appreciate feedback from folks in the Security Area about the proposed "SecretClass". I will forward this message to the PRECIS WG and ask participants in that WG to pay attention on the SAAG list if they're interested in the discussion. Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ saag mailing list [email protected] https://www.ietf.org/mailman/listinfo/saag _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
