Re: Unicode in passwords

From: Philippe Verdy <verdy_p_at_wanadoo.fr>
Date: Tue, 6 Oct 2015 15:27:36 +0200

And there are severe issues in this RFC for its case mapping profile: it
requires converting "uppercase" characters to "lowercase", but these
properties are not stable (see for example the history of Cherokee letters,
changed from gc=Lo to gc=Lu when lowercase letters were added and with case
pairs added at the same time, see also the addition of the capital sharp S
for German).

That RFC should used used the Unicode "Case Folding" algorithm which is
stable (case folded strings are NOT necessarily all lowercase, they are
just warrantied to keep a single case variant, and case folding implies the
use of compatibility normalization forms, i.e. NFKC or NFKD, to get the
correct closure: the standard Unicode normalizations are also stable) !

2015-10-06 10:48 GMT+02:00 Stephane Bortzmeyer <bortzmeyer_at_nic.fr>:

> On Tue, Oct 06, 2015 at 12:57:51PM +0900,
> Yoriyuki Yamagata <yoriyuki.yamagata_at_aist.go.jp> wrote
> a message of 33 lines which said:
>
> > FYI, IETF is working on this issue. See Internet Draft
> > https://tools.ietf.org/html/draft-ietf-precis-saslprepbis-17 based
> > on PRECIS framework RFC 7564 https://tools.ietf.org/html/rfc7564
>
> As alreday mentioned on that list, the draft is no longer a draft, it
> was published as a RFC, RFC 7613, two months ago
> <http://www.rfc-editor.org/rfc/rfc7613.txt>
>
Received on Tue Oct 06 2015 - 08:29:02 CDT

This archive was generated by hypermail 2.2.0 : Tue Oct 06 2015 - 08:29:02 CDT