Next: Use of SASLprep in LOGIN, Up: Protocol Clarifications
The specification, as of draft-ietf-sasl-crammd5-04.txt, is silent on whether a SASL server implementation applying SASLprep on a password received from an external, non-SASL specific database (i.e., the passwords are not stored in SASLprep form in the database), should set or clear the AllowUnassigned bit. The motivation for the AU-bit in StringPrep/SASLprep is for stored vs query strings. It could be argued that in this situation the server can treat the external password either as a stored string (from a database) or as a query (the server uses the string as a query into the fixed HMAC-MD5 hash).
The specification is also unclear on whether clients should set or clear the AllowUnassigned flag.
In the server, GNU SASL apply SASLprep to the password with the AllowUnassigned bit cleared.