SASLprep200x

[Paul Hoffman]

At 10:06 AM -0500 1/5/07, John C Klensin wrote:
>I think we are not disagreeing, but not communicating.

Fully disagree. Fortunately, you made that easy to see in the next sentence.

>In our
>end result, we need to, somehow, accommodate at least three
>different applications and whatever requirements they produce:
>
>	(i) IDNs
>	(ii) Identifiers to be used to name certificates and
>	other security credentials
>	(iii) Passwords and other strings that benefit from high
>	entropy.

We have no such "need".

We need (i), of course.

We also need (ii) but only insofar as domain names used in those 
certs and credentials. To be explicit: we do not need to do anything 
to let "Johnson&Johnson" use their name in the issuer name or subject 
name fields of PKIX certificates. That is out of scope for 
StringPrep. If the security community wants an interoperable way to 
handle free-text strings, they can invent it themselves. (Yes, I will 
be a stuckee with the giant target on his chest for this one; I'll 
live with that. Fortunately, Simon will be standing next to me.)

We should not even consider (iii). The fast that the SASL community 
wanted to use StringPrep2003 for their needs then, and now may regret 
that decision, is Not Our Problem, particularly because they can fix 
their problem themselves with a lot less effort than it would take us 
to accommodate them.