Re: Unicode versioning in glib
- From: Roozbeh Pournader <roozbeh sharif edu>
- To: butterbrain <bbrain adelphia net>
- Cc: Simon Josefsson <jas extundo com>, <gtk-i18n-list gnome org>
- Subject: Re: Unicode versioning in glib
- Date: Sun, 6 Oct 2002 22:19:17 +0330 (IRT)
On Sat, 5 Oct 2002, butterbrain wrote:
> > I'm not sure what your point is, but if you mean that this is enough
> > for a protocol that compares normalized strings (such as passwords)
> > for equality the point is not valid. The protocols I'm implementing
> > currently requires that all protocol implementations must use NFKC
> > from Unicode 3.2.
>
> all normalisation of passwords should be done on the trusted machine on
> which the password is typed. the storage of the password should be a
> hash of the string that was input. the verification of the password
> never requires a specific encoding. it's acceptable to input your
> password with something other than a keyboard, or with keys on a
> keyboard that don't map to characters or unicode values of any kind! the
> protocol which you are implementing is broken.
Well, the 'nameprep' part of IDN (International Domain Names) strictly
has this requirement that string should be normalized in NFKC with Unicode
3.2 to minimize the security risk to the absolute minimum. And it has been
reviewed by the Unicode Consortium, which don't consider it broken. It
does require the normalization being done on the client, and the
normalized string passed to the server after some more manipulation. See:
http://www.ietf.org/internet-drafts/draft-ietf-idn-nameprep-11.txt
roozbeh
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
