One Small Voice: The Journal of Peter Saint-Andre

RFC 7613: Internationalized Usernames and Passwords


A few months ago I posted about the internationalization odyssey that was the Framework for Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols, a.k.a. RFC 7564. This work has significant implications for security, as exemplified by the PRECIS profiles for usernames and passwords, just published as RFC 7613. The old approach to internationalization of usernames and passwords (RFC 4013) was locked into Unicode version 3.2 (it's now up to version 7, with version 8 coming soon) and also used an identical algorithm for both usernames and passwords, even though the security characteristics of these two constructs are quite different (for passwords we want to maximize entropy by allowing just about every possible Unicode character, whereas for usernames we want a more controlled subset of Unicode characters mostly limited to letters and numbers). With RFC 7613, Alexey Melnikov and I took a more modern and careful approach: among other things it's version-agile with respect to Unicode and it defines separate profiles - actually one for passwords (called "OpaqueString") and two for usernames, depending on whether uppercase characters are preserved or mapped to lowercase. It will take awhile for this new approach to trickle into application protocols (XMPP identifiers and chatroom nicknames are the first two) and then into running code, but eventually this new approach will provide a stronger and more sustainable foundation for handling internationalized usernames and passwords over the Internet.

RFC 7590: TLS in XMPP


Following on the work that Yaron Sheffer, Ralph Holz, and I did on best practices for SSL/TLS in application protocols, Thijs Alkemade and I have now applied those recommendations to XMPP in the form of RFC 7590 (published today). This document explicitly updates the security considerations of the core XMPP spec and thus helps us further strengthen the security properties of the Jabber/XMPP network. Naturally there is still much to be done, but this is another step in the right direction...

Two More Nietzschean Poems


Although my philosophical focus right now is on Thoreau, I'm also thinking once in a while about Songs of Zarathustra (a cycle of poems providing a positive interpretation of Nietzsche's ethics). Here are drafts of two more poems that might make the cut. As can be seen, these are related to my previous poem Eternal Recurrence.

Amor Fati

Whatever might unfold for me
Is not spun out by scheming Fates;
Instead it's simple destiny,
A line of life that time creates.

It's natural that I love this line,
Despite its pains and hurried pace;
Because the steps I make are mine,
I take pride in their style and grace.

I wrote the first stanza of that one a month or two ago. As I was waking up this morning, the following poem (Spiral) came to me quite quickly, and then I went back and worked out a second stanza to Amor Fati. As always, these are provisional and might not survive the editor's pen.


Eternal recurrence of the same
Sounds like a circle I can't escape,
The endless march of a lowly ant
On a moebius strip of grinding fate.

And yet the notion spurs me on
To fly and soar while I have the chance,
To make my life a thing of gold
That shines out over time and space.

RFCs 7572 and 7573: SIP-XMPP Messaging


And the hits keep coming! Today two more of my RFCs were published through the Internet Engineering Task Force, defining how SIP and XMPP can interoperate for one-to-one messaging: RFC 7572 covers single messages (also called "pager-mode" messaging in the SIP world), whereas RFC 7573 covers one-to-one chat sessions (a.k.a. "session-mode" messaging). These documents continue in the series started with RFCs 7247 and 7248 and have been in the works since early 2008, if you can believe it. I hate to brag, but it shows how much I care about interoperability that I've kept pushing these specs forward all this time. :-) There are two more documents still to be published in this series: one on multi-party text chat rooms and the other on voice and video call signaling, so stay tuned for more RFCs in the relatively near future...

The Art of the Fugue


Ever since I discovered Bach's Art of the Fugue thirty years ago, I have turned to this piece of music for solace when I am in a state of agitation. Finding myself there again this evening, I decided to pay homage to the greatest of composers with this brief pantoum...

The Art of the Fugue

How these twelve notes soar and tumble,
Calming my soul in a bath of sound!
As lines entwine and themes embrace,
Bracing logic melts my cares away.

Calming my soul in a bath of sound,
Bach weaves his magic mastery.
Bracing logic melts my cares away;
Creation fills me up with wonder.

Bach weaves his magic mastery
As lines entwine and themes embrace.
Creation fills me up with wonder:
How these twelve notes soar and tumble!

RFC 7565: Account URIs


RFC 7564 is a good example of a necessarily complex piece of work that required a long time to produce. Yet sometimes even simple things take time. Case in point: the specification of the 'acct' URI scheme, also published today as RFC 7565. In June of 2012 I split the definition of this scheme out from the WebFinger document so that it could stand on its own. Indeed, the 'acct' URI spec was approved for publication almost 2 years ago, but couldn't be published as an RFC until the PRECIS framework was published today as RFC 7564. Ah, the wonderful world of technology standardization...

For older entries, check the archive. To track changes, follow the feed.

Peter Saint-Andre > Journal