Unicode in passwords

Philippe Verdy verdy_p at wanadoo.fr
Wed Oct 7 06:46:06 CDT 2015

2015-10-07 13:16 GMT+02:00 Stephane Bortzmeyer <bortzmeyer at nic.fr>:

> On Tue, Oct 06, 2015 at 10:53:00PM +0200,
>  Philippe Verdy <verdy_p at wanadoo.fr> wrote
>  a message of 72 lines which said:
> > it is highly preferable to extend the character repertoire to
> > Unicode and accept letters in NFKC form and unified by case folding
> As I said before, "the ship has sailed". RFC 7613 has been published,
> and uses NFC and case preservation. It is IMHO useless to reopen this
> discussion.

Reread the RFC, it discusses the case-insensitive profile using NFC and
conversion to lowercase, this is the bug.

> > the recent RFC that forgot the issue : its case-insensitive profile
> > based on NFC and conversion to lowercase is definitely broken !)
> What is broken is your analysis. RFC 7613 does not convert passwords
> to lowercase. Indeed, it says exactly the opposite, which seems to
> indicate that you did not read it before calling it broken:
>        Case-Mapping Rule: Uppercase and titlecase characters MUST NOT be
>        mapped to their lowercase equivalents.

You are reading the other section for the case-sensitive profile (in
SASLprep, section 6.1), which is absolutely not forbidden for user names,
and already an established practice since too many decennial (email
addresses, local user names in Windows...), and this very new RFC will not
change this practice before very long.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unicode.org/pipermail/unicode/attachments/20151007/aef82439/attachment.html>

More information about the Unicode mailing list