Am 10.09.2013 16:06, schrieb Nico Williams: > This is the third time, I think, that I've had to voice my vehement > objections to this. I thought we were done the second time. I believe > SASL applications and mechanisms MUST NOT do the above, not on the > client side, and that the server should be allowed to do what it wishes. > The only exception is for password (and salt) processing in > DIGEST/SCRAM-like mechanisms where keys are derived from passwords on > the client- (and server-) sides, therefore canonical password > representations are desirable, and even then, case folding would be > nothing short of -- and I must be utterly frank here-- stupid, as it > means dropping entropy needlessly. > > The argument I made before was that we need to distinguish between > query, display, and storage strings. If a username must be > canonicalized then this should be done where it must be used as a > databased/directory lookup key or as a cryptographic salt (where roughly > the same considerations as for passwords used to derive keys apply). We > should delay canonicalization as much as possible so as to support the > server operator's choice of canonicalization. I've mentioned before > that many online games allow all sorts of username forms that we'd > consider silly in an enterprise environment, but in online gaming they > are quite desirable as a form of styling. Let's not put a > straightjacket on users of this string preparation -- let each operator > pick their poison as much as possible. >
I'm a bit confused. My impression is that the draft already contains text very much in that spirit: « SASL mechanisms that directly re-use this profile MUST specify whether and when case mapping is to be applied to authentication identifiers. SASL mechanisms SHOULD delay any case mapping to the last possible moment, such as when doing a lookup by username, username comparisons, or generating a cryptographic salt from a username. In keeping with RFC4422, SASL mechanisms are not to apply this or any other profile to authorization identifiers. » While online games might not always want case folded strings, I doubt having two usernames that differ only in case is ever desirable. _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
