Re: [Emu] EAP, RADIUS, UTF-8, RFC 4282 and SASLPREP: the interop nightmare

[Alan DeKok <aland@deployingradius.com>]

Bernard Aboba wrote:
> [BA] RFC 4282 actually proposes that the realm portion of the NAI be
> encoded in punycode, not UTF-8.

  That's just wrong.  No AAA client or server does that.

  At the last IETF, I had proposed in a hallway conversation, to update
portions RFC 4282 to describe what implementors actually do.  It looks
like it's time for that document to get written.

> ...it is hard for me tosee how the NAI in EAP or
> RADIUS could be encoded in anything other than UTF-8. 

  I agree.  RFC 5335 Section 4.4 defines a "utf8-addr-spec", which is:

	utf8-local-part "@" utf8-domain

  That's probably a good start for this document.

> realm portion of the NAI.    It **is** reasonable to say that if and
> when the realm is included in a DNS
> query that it should be converted to punycode (e.g. an A-label) beforehand.

  Yes.

> [BA] The more I’ve looked into this, the more likely it seems that this problem
> is real and potentially wide in scope, affecting not only EAP, RADIUS, Diameter but also  
> EAP methods.  For example, RFC 2759 (MS-CHAPv2) Section 4 states:

  Potentially anywhere a user identifier is used.  User-Name, CUI, and
other protocols such as Kerberos.

> [BA] So what do we do about this?
...
> a.       A document on NAI internationalization, updating RFC 4282.
>  This would address the (IMHO incorrect) punycode encoding of the realm
> portion.

  I'll start on that.

> b.      A document on EAP internationalization, updating RFC 3748.  This
> would cover the EAP-Response/Identity as well as potentially giving
> advice on issues such as password internationalization and
> internationalization of the EAP Peer-Id and Server-Ids.

  I'll stay away from that. :(

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>