-
Martin
As passwords and usernames also go over the wire, should they also be checked for invalid code points or is this safe as the registering client and/or server already forbid this?
-
Sam
The server should check this for you when you set the password initially (or possibly later as well if you're using PLAIN)
-
Zash
SASLPREP is a thing
-
Martin
Good, thanks. 🙂
-
Sam
If you're using PRECIS it might be good for the client to check in advance too (there's a special "easier" verification method for clients to use) that way if your server is still using SASLPREP and there's a conflict (less likely with passwords, but still) you can go ahead and make their eventual transition easier by not setting a password that will become invalid later
-
Sam
Then again, passwords are the easy one to change so less important here than eg. usernames