I'd like to see if we can close on this issue soon. The main use case we are targeting is one where the password is sent to the server. We do not know how the server will do the comparison. Given that this is a requirement document I don't think we need to have the full solution described. Can you two work out some proposed text to go in the requirements document on this issue with usernames and passwords?
Thanks, Joe > -----Original Message----- > From: emu-boun...@ietf.org [mailto:emu-boun...@ietf.org] On > Behalf Of Simon Josefsson > Sent: Friday, September 25, 2009 3:56 AM > To: Alan DeKok > Cc: emu@ietf.org > Subject: Re: [Emu] Revised sections for Issue #18 > (Internationalization) > > Alan DeKok <al...@deployingradius.com> writes: > > > Simon Josefsson wrote: > >> Right. My point is that the one needs to weight this > approach to a > >> system which does not use normalization but instead use > >> internationalized comparison rules. > > > > How do you do internationalized comparisons on hashed passwords? > > > > All you have is the hash. And if the passwords input to the hash > > aren't the same (i.e. non-normalized), then you're > *guaranteed* that > > the hashes won't match. > > Right. Hashed passwords is one example of when > internationalized comparisons wouldn't work. I'm sorry if > this wasn't clear in my earlier note. > > However there is a risk that normalization _introduce_ > differences: if two systems use different normalization > algorithms that leads to different outputs for the same > input, the hashes won't match either. > > /Simon > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
