[UA-discuss] Fw: [saag] encrypted files with UTF-8/16 passwords

Tan Tanaka, Dennis dtantanaka at verisign.com
Fri Mar 24 18:12:56 UTC 2017

Let’s not confuse the subject. Passwords are not domain names. So, this topic is not germane to UA.


On 3/24/17, 11:31 AM, "ua-discuss-bounces at icann.org on behalf of Maxim Alzoba" <ua-discuss-bounces at icann.org on behalf of m.alzoba at gmail.com> wrote:

    Dear All, 
    please be aware that historically using non-ASCI chars in passwords was a bad idea in 
    many systems (for security reasons). 
    The idea of acceptance of IDN passwords is great, but the 
    reality ... is not so bright, so it could be an idea of "step by step improvement, for the better future".
    Sincerely Yours,
    Maxim Alzoba
    Special projects manager,
    International Relations Department,
    m. +7 916 6761580
    skype oldfrogger
    Current UTC offset: +3.00 (Moscow)
    > On Mar 24, 2017, at 16:42, <nalini.elkins at insidethestack.com> <nalini.elkins at insidethestack.com> wrote:
    > This may be of interest to UASG.
    > Thanks,
    > Nalini Elkins
    > CEO and Founder
    > Inside Products, Inc.
    > www.insidethestack.com
    > (831) 659-8360
    > --- On Fri, 3/24/17, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote:
    >> From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>
    >> Subject: [saag] encrypted files with UTF-8/16 passwords
    >> To: "IETF SAAG" <saag at ietf.org>
    >> Cc: mnystrom at microsoft.com, Kathleen.Moriarty at emc.com, bkaliski at verisign.com
    >> Date: Friday, March 24, 2017, 1:07 AM
    >> Hi,
    >> PKCS#8 (rfc8018) and PKCS#12 (rfc7292)
    >> can be used to encrypt keys
    >> and certificates with a password. In
    >> the first case, PKCS#8 utilizes
    >> PKCS#5 for converting a password to an
    >> encryption key, and PKCS#5
    >> requires a password to be in UTF-8. For
    >> PKCS#12, a password is input
    >> in UTF-16 format (mentioned as
    >> BMPString in the document) in some
    >> preset schemes, but uses UTF-8 for
    >> newer schemes like AES via PKCS#5.
    >> However, UTF-8 (and UTF-16) are
    >> ambiguous. The same string may have
    >> multiple representations, and for that,
    >> there are some guidelines in
    >> RFC7613 to prepare a unicode string for
    >> a password, but they do not
    >> update either of these documents.
    >> Given that these are informational
    >> RFCs, which would be the proper
    >> method to propose an update on them
    >> based on these lines and requiring
    >> RFC7613 processing for passwords
    >> entered in UTF-8?
    >> regards,
    >> Nikos
    >> _______________________________________________
    >> saag mailing list
    >> saag at ietf.org
    >> https://www.ietf.org/mailman/listinfo/saag

More information about the UA-discuss mailing list