Re: Unicode in passwords

From: Philippe Verdy <verdy_p_at_wanadoo.fr>
Date: Wed, 7 Oct 2015 13:46:06 +0200

2015-10-07 13:16 GMT+02:00 Stephane Bortzmeyer <bortzmeyer_at_nic.fr>:

> On Tue, Oct 06, 2015 at 10:53:00PM +0200,
> Philippe Verdy <verdy_p_at_wanadoo.fr> wrote
> a message of 72 lines which said:
>
> > it is highly preferable to extend the character repertoire to
> > Unicode and accept letters in NFKC form and unified by case folding
>
> As I said before, "the ship has sailed". RFC 7613 has been published,
> and uses NFC and case preservation. It is IMHO useless to reopen this
> discussion.
>

Reread the RFC, it discusses the case-insensitive profile using NFC and
conversion to lowercase, this is the bug.

>
> > the recent RFC that forgot the issue : its case-insensitive profile
> > based on NFC and conversion to lowercase is definitely broken !)
>
> What is broken is your analysis. RFC 7613 does not convert passwords
> to lowercase. Indeed, it says exactly the opposite, which seems to
> indicate that you did not read it before calling it broken:
>
> Case-Mapping Rule: Uppercase and titlecase characters MUST NOT be
> mapped to their lowercase equivalents.
>

You are reading the other section for the case-sensitive profile (in
SASLprep, section 6.1), which is absolutely not forbidden for user names,
and already an established practice since too many decennial (email
addresses, local user names in Windows...), and this very new RFC will not
change this practice before very long.
Received on Wed Oct 07 2015 - 06:47:28 CDT

This archive was generated by hypermail 2.2.0 : Wed Oct 07 2015 - 06:47:28 CDT