Sam Hartman wrote: > The consensus of the SASL and Kerberos communities has been different. > In particular, these communities believe that it is strongly desirable > that the same password when entered on two different systems actually > work.
Well, yes. But is it a real problem, or a theoretical issue? RADIUS has had over a decade of experience in authenticating pretty much everyone who accesses the Internet. Internationalization issues with usernames or passwords just haven't been encountered. I'm wary of trying to create a solution where the existing deployments show no problems. I know of multiple RADIUS / EAP implementations outside of North America, with 15 million or more users. The largest Kerberos implementation I've heard of was about a million users. I think that RADIUS has pretty well searched the space of potential internationalization issues. > To get that, you need to deal with issues like normalization. > Otherwise, if you use a system with input methods that produce > combined characters you will get different results than if you use > input methods that produce decomposed characters. For EAP methods, the majority of users are using a small number of input systems for almost all authentications. e.g. a laptop. They enter the password once, and it's cached for the next time. Even if they have to enter the password again, they will likely do so on a similar system. So whatever format is used the first time is the same format they user for subsequent authentications. This doesn't solve the problem, but it makes the problem much less likely to appear. > At some level, this is an implementation issue for the server. > However to support the server, you definitely need to label the > character set, discuss any normalization that the client should do > (often none) and set interoperability goals. The whole composed / decomposed thing is a nightmare for passwords. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
