Fw: [saag] encrypted files with UTF-8/16 passwords
This may be of interest to UASG. Thanks, Nalini Elkins CEO and Founder Inside Products, Inc. www.insidethestack.com (831) 659-8360 --- On Fri, 3/24/17, Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> wrote:
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> Subject: [saag] encrypted files with UTF-8/16 passwords To: "IETF SAAG" <saag@ietf.org> Cc: mnystrom@microsoft.com, Kathleen.Moriarty@emc.com, bkaliski@verisign.com Date: Friday, March 24, 2017, 1:07 AM Hi, PKCS#8 (rfc8018) and PKCS#12 (rfc7292) can be used to encrypt keys and certificates with a password. In the first case, PKCS#8 utilizes PKCS#5 for converting a password to an encryption key, and PKCS#5 requires a password to be in UTF-8. For PKCS#12, a password is input in UTF-16 format (mentioned as BMPString in the document) in some preset schemes, but uses UTF-8 for newer schemes like AES via PKCS#5.
However, UTF-8 (and UTF-16) are ambiguous. The same string may have multiple representations, and for that, there are some guidelines in RFC7613 to prepare a unicode string for a password, but they do not update either of these documents.
Given that these are informational RFCs, which would be the proper method to propose an update on them based on these lines and requiring RFC7613 processing for passwords entered in UTF-8?
regards, Nikos
_______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
Dear All, please be aware that historically using non-ASCI chars in passwords was a bad idea in many systems (for security reasons). The idea of acceptance of IDN passwords is great, but the reality ... is not so bright, so it could be an idea of "step by step improvement, for the better future". Sincerely Yours, Maxim Alzoba Special projects manager, International Relations Department, FAITID m. +7 916 6761580 skype oldfrogger Current UTC offset: +3.00 (Moscow)
On Mar 24, 2017, at 16:42, <nalini.elkins@insidethestack.com> <nalini.elkins@insidethestack.com> wrote:
This may be of interest to UASG.
Thanks,
Nalini Elkins CEO and Founder Inside Products, Inc. www.insidethestack.com (831) 659-8360
--- On Fri, 3/24/17, Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> wrote:
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> Subject: [saag] encrypted files with UTF-8/16 passwords To: "IETF SAAG" <saag@ietf.org> Cc: mnystrom@microsoft.com, Kathleen.Moriarty@emc.com, bkaliski@verisign.com Date: Friday, March 24, 2017, 1:07 AM Hi, PKCS#8 (rfc8018) and PKCS#12 (rfc7292) can be used to encrypt keys and certificates with a password. In the first case, PKCS#8 utilizes PKCS#5 for converting a password to an encryption key, and PKCS#5 requires a password to be in UTF-8. For PKCS#12, a password is input in UTF-16 format (mentioned as BMPString in the document) in some preset schemes, but uses UTF-8 for newer schemes like AES via PKCS#5.
However, UTF-8 (and UTF-16) are ambiguous. The same string may have multiple representations, and for that, there are some guidelines in RFC7613 to prepare a unicode string for a password, but they do not update either of these documents.
Given that these are informational RFCs, which would be the proper method to propose an update on them based on these lines and requiring RFC7613 processing for passwords entered in UTF-8?
regards, Nikos
_______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
Let’s not confuse the subject. Passwords are not domain names. So, this topic is not germane to UA. -Dennis On 3/24/17, 11:31 AM, "ua-discuss-bounces@icann.org on behalf of Maxim Alzoba" <ua-discuss-bounces@icann.org on behalf of m.alzoba@gmail.com> wrote: Dear All, please be aware that historically using non-ASCI chars in passwords was a bad idea in many systems (for security reasons). The idea of acceptance of IDN passwords is great, but the reality ... is not so bright, so it could be an idea of "step by step improvement, for the better future". Sincerely Yours, Maxim Alzoba Special projects manager, International Relations Department, FAITID m. +7 916 6761580 skype oldfrogger Current UTC offset: +3.00 (Moscow) > On Mar 24, 2017, at 16:42, <nalini.elkins@insidethestack.com> <nalini.elkins@insidethestack.com> wrote: > > This may be of interest to UASG. > > Thanks, > > Nalini Elkins > CEO and Founder > Inside Products, Inc. > www.insidethestack.com > (831) 659-8360 > > > --- On Fri, 3/24/17, Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> wrote: > >> From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> >> Subject: [saag] encrypted files with UTF-8/16 passwords >> To: "IETF SAAG" <saag@ietf.org> >> Cc: mnystrom@microsoft.com, Kathleen.Moriarty@emc.com, bkaliski@verisign.com >> Date: Friday, March 24, 2017, 1:07 AM >> Hi, >> PKCS#8 (rfc8018) and PKCS#12 (rfc7292) >> can be used to encrypt keys >> and certificates with a password. In >> the first case, PKCS#8 utilizes >> PKCS#5 for converting a password to an >> encryption key, and PKCS#5 >> requires a password to be in UTF-8. For >> PKCS#12, a password is input >> in UTF-16 format (mentioned as >> BMPString in the document) in some >> preset schemes, but uses UTF-8 for >> newer schemes like AES via PKCS#5. >> >> However, UTF-8 (and UTF-16) are >> ambiguous. The same string may have >> multiple representations, and for that, >> there are some guidelines in >> RFC7613 to prepare a unicode string for >> a password, but they do not >> update either of these documents. >> >> Given that these are informational >> RFCs, which would be the proper >> method to propose an update on them >> based on these lines and requiring >> RFC7613 processing for passwords >> entered in UTF-8? >> >> regards, >> Nikos >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >>
participants (3)
-
Maxim Alzoba -
nalini.elkins@insidethestack.com -
Tan Tanaka, Dennis