[UA-discuss] Fw: [saag] encrypted files with UTF-8/16 passwords
Maxim Alzoba
m.alzoba at gmail.com
Fri Mar 24 15:31:36 UTC 2017
Dear All,
please be aware that historically using non-ASCI chars in passwords was a bad idea in
many systems (for security reasons).
The idea of acceptance of IDN passwords is great, but the
reality ... is not so bright, so it could be an idea of "step by step improvement, for the better future".
Sincerely Yours,
Maxim Alzoba
Special projects manager,
International Relations Department,
FAITID
m. +7 916 6761580
skype oldfrogger
Current UTC offset: +3.00 (Moscow)
> On Mar 24, 2017, at 16:42, <nalini.elkins at insidethestack.com> <nalini.elkins at insidethestack.com> wrote:
>
> This may be of interest to UASG.
>
> Thanks,
>
> Nalini Elkins
> CEO and Founder
> Inside Products, Inc.
> www.insidethestack.com
> (831) 659-8360
>
>
> --- On Fri, 3/24/17, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote:
>
>> From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>
>> Subject: [saag] encrypted files with UTF-8/16 passwords
>> To: "IETF SAAG" <saag at ietf.org>
>> Cc: mnystrom at microsoft.com, Kathleen.Moriarty at emc.com, bkaliski at verisign.com
>> Date: Friday, March 24, 2017, 1:07 AM
>> Hi,
>> PKCS#8 (rfc8018) and PKCS#12 (rfc7292)
>> can be used to encrypt keys
>> and certificates with a password. In
>> the first case, PKCS#8 utilizes
>> PKCS#5 for converting a password to an
>> encryption key, and PKCS#5
>> requires a password to be in UTF-8. For
>> PKCS#12, a password is input
>> in UTF-16 format (mentioned as
>> BMPString in the document) in some
>> preset schemes, but uses UTF-8 for
>> newer schemes like AES via PKCS#5.
>>
>> However, UTF-8 (and UTF-16) are
>> ambiguous. The same string may have
>> multiple representations, and for that,
>> there are some guidelines in
>> RFC7613 to prepare a unicode string for
>> a password, but they do not
>> update either of these documents.
>>
>> Given that these are informational
>> RFCs, which would be the proper
>> method to propose an update on them
>> based on these lines and requiring
>> RFC7613 processing for passwords
>> entered in UTF-8?
>>
>> regards,
>> Nikos
>>
>> _______________________________________________
>> saag mailing list
>> saag at ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>>
More information about the UA-discuss
mailing list