A couple of comments on draft-ietf-precis-saslprepbis-09: 1. Is the ABNF in terms of bytes or Unicode code points? <userpart> seems to be in bytes as it is 1 or more <idbyte>s. <password> seems that it might be in code points as it is one or more <freepoint>s, where a <freepoint> is a UTF-8 encoded Unicode code point. But it mentions UTF-8 that would be unnecessary if it is in code points. Byte-based rules don't seem to make much sense as UTF-8 requires bytes in a specific order.
I suggest writing the ABNF in terms of Unicode code points, and explicitly stating this. 2. The ABNF for <username> is: username = userpart [1*(1*SP userpart)] The 2nd term is an optional sequence of 1 or more things. Isn't that the same as 0 or more things? I suggest simplifying the ABNF to: username = userpart *(1*SP userpart) 3. Is there ABNF for <freepoint> and <idbyte>? These 2 rules are used, but not defined. Perhaps the only definition is the comment that follow their use? If so, could that be stated a bit more explicitly so readers don't hunt through other precis docs and references looking for them. 4. Empty password. An empty password is not secure, but a 1-char password isn't appreciably better. What is the reason for saying "a password MUST NOT be zero bytes in length"? I would drop this requirement. -- James Manger
_______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
