On 10/18/11 12:11 PM, Andrew Sullivan wrote: > On Tue, Oct 18, 2011 at 11:53:43AM -0600, Peter Saint-Andre wrote: >> On the SAAG list, Mike Parker expressed concerns about mandating that >> passwords MUST be Unicode, because some systems store passwords as octet >> strings... > > Right. Precis can hardly dictate what programs not implementing its > specifications do, any more than precis can go back in time and cause > applications to do this. (Compare this with the IDNA2008 MUSTs: every > non-compliant fake A-label is still a perfectly good DNS label. > Indeed, the string "can't" is not a legal IDNA2008 label, but it's a > valid DNS label anyway.) > >> Instead, it's giving protocol designers a common tool for preparing and >> comparing passwords (and other strings) containing Unicode characters, >> if they choose to support such things. > > Exactly: if you want to do precis, then it MUST be Unicode. Behaviour > for strings that are not Unicode, including binary blobs and any other > character encoding, is undefined.
Agreed with all that. >> However, we might want to provide some text in the security >> considerations about the desirability (or not) of full-Unicode passwords. > > I'm slow, but what's the security consideration? There are > interoperability considerations: if two applications want to > co-operate in authentication, then they're going to need to use > Unicode or make up their own protocol. Right, it's text about interoperability. Where exactly that belongs is another matter. I'm happy to add a section about interoperability. Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
