Simon Josefsson wrote: > Perhaps you want to consider an approach where passwords are normalized > using Net-UTF-8 and usernames are sent as-is but mandate that > username-to-username comparisons use Net-UTF-8 on both strings before > comparing them.
I would like to see some more details around this suggestion. Issues of data entry (user -> keyboard -> ?? -> EAP) and user store (admin -> keyboard -> ??? -> database) are important. Something like: The canonical form of the username and password as carried in EAP or placed in an authentication store SHOULD be Net-UTF-8. In practice, this means that the supplicant converts both to Net-UTF-8 prior to placing them in an EAP packet. It means that an authentication system converts them to Net-UTF-8 prior to placing them in a data store. It means that the data store treats them as an opaque sequence of bytes, and does *not* mangle them in any way. It means that any cryptographic calculations based on the passwords must be done on the Net-UTF-8 form. i.e. whatever a supplicant places in the packet is considered by the authenticator to be the "canonical" form of the username and password. Having the authenticator canonicalize the username or password that is takes from an EAP packet is a recipe for disaster. > Username and passwords strings are somewhat different beasts, and it > does not necessarily make sense to use the same normalization or > comparison algorithms for both strings. Why not? memcmp(s1, s2, length) would be fine if we assume that the strings are both canonicalized *before* the comparison is done. Stating *who* does the canonicalization ensures that only a limited number of entities do the canonicalization, which minimizes errors and inter-operability. The nice thing about that requirement is that it is very compatible with sites choosing to not use Net-UTF-8. If they choose to put something else in a DB as the authentication credentials, it will work so long as the supplicant puts exactly the same data into the EAP packet. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
