[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Textual/non-textual passwords and SASLprep

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Textual/non-textual passwords and SASLprep
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 11 Nov 2003 20:04:16 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.0.0.22.0.20031111090714.0430b6e8@127.0.0.1>
References: <HBF.20031109ro5m@bombur.uio.no> <6.0.0.22.0.20031111090714.0430b6e8@127.0.0.1>

Kurt D. Zeilenga writes:

> The password element of the protocol is an octet string which may, at
> times, contain character data.  (...)  This, IMO, addresses the
> Internationalization requirements placed upon password element by BCP
> 18 (RFC 2277).

Your first sentence alone satisfies RFC 2277, but then was no need to
change the [Protocol] about passwords in order to satisfy RFC 2277.

> The protocol relies on the client implementation to distinguish when
> the data is text or non-text.  When text, the client is to "prepare"
> the text for transfer as specified.  When non-text, the client is to
> transfer the data "as is".

Then [Protocol] should explicitly say that.  That is, 'The protocol
relies on the client implementation to distinguish when the data is text
or non-text.'  And that the client needs some way to tell whether a
user-supplied password is text or not.  Which seems to be just another
way to say more or less what I originally suggested, that the client
should have options to decide whether or not to translate and prepare
passwords.  Even if the option is "if the password is taken from a file,
don't translate" if that's what you have in mind.

It makes little sense to say, in effect, the client SHALL treat textual
and non-textual passwords differently, but not to give the slightest
hint how to decide when a password is textual.

When you keep the text vs. non-text issue out of the protocol itself, it
doesn't seem to be an RFC 2277 issue.  On the contrary, when you bring
rfc 2277 into it it seems to me you are saying that client and server
should have some way to agree on whether or not the passwords are text.
Such interoperability is what rfc 2277 is about.

> In reading the remainder of your comments, I find no new arguments.
> To avoid repeating prior discussions, I'll won't respond to them.

Hm?  I've read through the 'more SASLprep/protocol problems' thread and
the 'Schema: encrypted 8-bit userPassword and SASLprep' thread, but I
don't find answers to what I wrote.  There may be answers in the message
from you which I quoted at the end, but if so I didn't understand what
you were saying.  That message made very little sense to me, which means
that one or both of us must have misunderstood the other pretty badly.
OTOH, some of it isn't so relevant anymore, just the textual
vs. non-textual issue is.

-- 
Hallvard

Follow-Ups:
- Re: Textual/non-textual passwords and SASLprep
  - From: Michael Ströder <michael@stroeder.com>

References:
- Textual/non-textual passwords and SASLprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Textual/non-textual passwords and SASLprep
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Textual/non-textual passwords and SASLprep
Next by Date: Re: authmeth: SASL protocol profile
Index(es):
- Chronological
- Thread