Re: Schema: encrypted 8-bit userPassword and SASLprep

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Kurt D. Zeilenga writes:
> userPassword values are matched with octetStringMatch.
> If client A stores a string into userPassword and
> client B asserts that the attribute contains a string,
> that assertion will be True if and only those strings
> are, octet-wise, the same.  The preparation ensures that
> equivalent user inputted textual strings of characters
> are treated as being equivalent.

True.  I was thinking of the case where the userPassword attribute is
created by another means that storing it through the protocol.  Or
rather, I wasn't thinking at all, otherwise I'd have mentioned that
detail:-)

>>> Note that it is not a mandate.  It is a recommendation.
>>
>>Sure, but if implementations follow that recommendation, sites with
>>servers using Unix /etc/passwd passwords are in trouble.  Unless they
>>also follow a recommendation to allow this to be turned off.
> 
> I don't see how 2.41 of [Schema] applies to passwords not
> held in userPassword.  ([AuthMeth] requirements might apply,
> but you specifically referenced 2.41 of [Schema].)

True.  I should have said [Schema] _and_ [Protocol].

But never mind.  As you say, let's stick to [Protocol]/[AuthMeth]
issues for now.

-- 
Hallvard