On Thu, 2016-11-24 at 14:26 +0100, Nikos Mavrogiannopoulos wrote: > On Wed, Nov 23, 2016 at 10:10 PM, David Woodhouse <dw...@infradead.org> wrote: > > > Locales is not the only thing you have to worry about. UTF-8 and UTF-16 > > > can express the same string in various (different) ways, so they cannot > > > be directly used as passwords. I have recently added RFC7613 > > > "normalization" to gnutls, to address the differences. > > > > > > https://lists.gnupg.org/pipermail/gnutls-devel/2016-November/008240.html > > > > Right. You normalise to NFC, yes? That's what my draft recommends. It's a > > shame that PKCS#12 doesn't *mandate* that... but hey, at least it does > > better than PKCS#8 :) > > NFC normalization is one step of RFC7613. I think recommending RFC7613 > is better than making any recommendation.
Hmmm.... I'd be happier if RFC7613 had any mention of using its profiles for key derivation. (And even happier if the PKCS#12 and PKCS#8 standards mandated its use!) This is really something that should be required of the software which *creates* the key file. I've tried to limit my draft to the *use* of existing files — but on the plus side, that means I can say things like "try X and if that doesn't work try Y", at least for the file decryption, if not for hardware. So sure, if there is existing software which is *creating* key files and using the rules in RFC7613 when it does so, then it makes sense for me to suggest that. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev