[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Textual/non-textual passwords and SASLprep

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Textual/non-textual passwords and SASLprep
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 12 Nov 2003 14:17:55 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <3FB1D9B5.3060008@stroeder.com>
References: <HBF.20031109ro5m@bombur.uio.no> <6.0.0.22.0.20031111090714.0430b6e8@127.0.0.1> <HBF.20031111e4gm@bombur.uio.no> <3FB1D9B5.3060008@stroeder.com>

Michael Ströder writes:
>Hallvard B Furuseth wrote:
>> 
>> Even if the option is "if the password is taken from a file,
>> don't translate" if that's what you have in mind.
> 
> Even if passwords are read from file they can be textual ;-)

I quite agree, but that seemed to be what you suggested in article
<http://www.openldap.org/lists/ietf-ldapbis/200305/msg00112.html>, which
you referred me to when I asked how to tell if a password was textual.

> and the application MUST have the a-priori knowledge to decide what to
> do with passwords stored in file. Which mainly boils down to that you
> also have to specify your file format exactly and your application
> following the format correctly.

So the password file contains a mark which says whether the following
password is textual or not, or something like that?  OK.

>> It makes little sense to say, in effect, the client SHALL treat textual
>> and non-textual passwords differently, but not to give the slightest
>> hint how to decide when a password is textual.
> 
> The client does not decide whether an arbitrary password is textual.

That's exactly my point:-)

> The 
> client application simply MUST have the a-priori knowledge about passwords 
> being textual or non-textual and whether to apply SASLprep or not. Most 
> times the client application locally decides that derived from the source 
> (e.g. keyboard, configuration file) the password is received from.

OK if that configuration file offers a format which says 'this password
is non-textual'.

> Hallvard, I have to admit that I don't see your problem at all... :-/

I want [Protocol] to either say something about how to decide if a
password is textual or not (even if it's just "it's the client's
responsibility to know this"), or to drop the SHALL/MUST treat
textual and non-textual passwords differently.

At least, I want someone who writes a client which can bind as both
users with textual and with non-textual passwords, to have some clue
what is required of them.  For example, am I doing anything wrong if I
declare that passwords given to my client are always non-textual, even
passwords typed in by users, maybe unless the user gives an option
saying they are textual?  That's in violation of what people are saying
about typed-in passwords in this thread, but it's not in violation of
anything [Protocol] says.

-- 
Hallvard

Follow-Ups:
- Re: Textual/non-textual passwords and SASLprep
  - From: Michael Ströder <michael@stroeder.com>

References:
- Textual/non-textual passwords and SASLprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Textual/non-textual passwords and SASLprep
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Textual/non-textual passwords and SASLprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Textual/non-textual passwords and SASLprep
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Textual/non-textual passwords and SASLprep
Next by Date: Re: Textual/non-textual passwords and SASLprep
Index(es):
- Chronological
- Thread