On Tue, Oct 18, 2011 at 11:53:43AM -0600, Peter Saint-Andre wrote: > On the SAAG list, Mike Parker expressed concerns about mandating that > passwords MUST be Unicode, because some systems store passwords as octet > strings...
Right. Precis can hardly dictate what programs not implementing its specifications do, any more than precis can go back in time and cause applications to do this. (Compare this with the IDNA2008 MUSTs: every non-compliant fake A-label is still a perfectly good DNS label. Indeed, the string "can't" is not a legal IDNA2008 label, but it's a valid DNS label anyway.) > Instead, it's giving protocol designers a common tool for preparing and > comparing passwords (and other strings) containing Unicode characters, > if they choose to support such things. Exactly: if you want to do precis, then it MUST be Unicode. Behaviour for strings that are not Unicode, including binary blobs and any other character encoding, is undefined. > However, we might want to provide some text in the security > considerations about the desirability (or not) of full-Unicode passwords. I'm slow, but what's the security consideration? There are interoperability considerations: if two applications want to co-operate in authentication, then they're going to need to use Unicode or make up their own protocol. A -- Andrew Sullivan [email protected] _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
