[Date Prev][Date Next] [Chronological] [Thread] [Top]

Schema: encrypted 8-bit userPassword and SASLprep



[Schema] 2.41 (userPassword) says:

   The application SHOULD prepare textual strings used as passwords
   by transcoding them to Unicode, applying SASLprep [SASLprep], and
   encoding as UTF-8.

This is incompatible with passwords written in 8-bit character sets and
stored encrypted in files that cannot easily be decrypted, e.g. Unix
/etc/passwd files.  Since the server does not know the plaintext
passwords, it cannot prepare them as above.

Well, in some cases the server could convert the bind passwords back
from UTF-8 to a locally configured character set.  But I think that's an
ugly hack, and an impossible one on multi-charset sites (or rather,
servers that serve several different sites on one campus that have
different default character sets.)  I don't want the standard to mandate
that.

So I suggest this is added:

   The application SHOULD also provide an option to turn off such
   preparation of passwords.

The alternative would be to force sites as above to write their own
applications, which is not always feasible.  We can hardly expect them
to write their own version of Netscape, for example.

-- 
Hallvard