| < draft-ietf-precis-saslprepbis-05.txt | draft-ietf-precis-saslprepbis-06.txt > | |||
|---|---|---|---|---|
| PRECIS P. Saint-Andre | PRECIS P. Saint-Andre | |||
| Internet-Draft Cisco Systems, Inc. | Internet-Draft Cisco Systems, Inc. | |||
| Obsoletes: 4013 (if approved) A. Melnikov | Obsoletes: 4013 (if approved) A. Melnikov | |||
| Intended status: Standards Track Isode Ltd | Intended status: Standards Track Isode Ltd | |||
| Expires: April 21, 2014 October 18, 2013 | Expires: June 6, 2014 December 3, 2013 | |||
| Preparation and Comparison of Internationalized Strings Representing | Preparation and Comparison of Internationalized Strings Representing | |||
| Usernames and Passwords | Usernames and Passwords | |||
| draft-ietf-precis-saslprepbis-05 | draft-ietf-precis-saslprepbis-06 | |||
| Abstract | Abstract | |||
| This document describes methods for handling Unicode strings | This document describes methods for handling Unicode strings | |||
| representing usernames and passwords. This document obsoletes RFC | representing usernames and passwords. This document obsoletes RFC | |||
| 4013. | 4013. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 21, 2014. | This Internet-Draft will expire on June 6, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. What the Username and Password Profiles Provide . . . . . . . 3 | 2. What the Username and Password Profiles Provide . . . . . . . 3 | |||
| 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Usernames . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4. Usernames . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. Definition . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4.1. Definition . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.2. Preparation . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.2. Preparation . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2.1. Case Mapping . . . . . . . . . . . . . . . . . . . . . 6 | 4.2.1. Case Mapping . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.1. Definition . . . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.2. Preparation . . . . . . . . . . . . . . . . . . . . . . . 7 | 5.1. Definition . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. Migration . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 5.2. Preparation . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6.1. Usernames . . . . . . . . . . . . . . . . . . . . . . . . 8 | 5.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6.2. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 9 | 6. Migration . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 6.1. Usernames . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7.1. UsernameIdentifierClass . . . . . . . . . . . . . . . . . 10 | 6.2. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7.2. PasswordFreeformClass . . . . . . . . . . . . . . . . . . 11 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 7.1. UsernameIdentifierClass . . . . . . . . . . . . . . . . . 13 | |||
| 8.1. Password/Passphrase Strength . . . . . . . . . . . . . . . 11 | 7.2. PasswordFreeformClass . . . . . . . . . . . . . . . . . . 14 | |||
| 8.2. Identifier Comparison . . . . . . . . . . . . . . . . . . 11 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 8.3. Reuse of PRECIS . . . . . . . . . . . . . . . . . . . . . 12 | 8.1. Password/Passphrase Strength . . . . . . . . . . . . . . . 14 | |||
| 8.4. Reuse of Unicode . . . . . . . . . . . . . . . . . . . . . 12 | 8.2. Identifier Comparison . . . . . . . . . . . . . . . . . . 14 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 8.3. Reuse of PRECIS . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 12 | 8.4. Reuse of Unicode . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 12 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| Appendix A. Differences from RFC 4013 . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 15 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 14 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | Appendix A. Differences from RFC 4013 . . . . . . . . . . . . . . 17 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 17 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 | ||||
| 1. Introduction | 1. Introduction | |||
| Usernames and passwords are widely used for authentication and | Usernames and passwords are widely used for authentication and | |||
| authorization on the Internet, either directly when provided in | authorization on the Internet, either directly when provided in | |||
| plaintext (as in the SASL PLAIN mechanism [RFC4616] or the HTTP Basic | plaintext (as in the SASL PLAIN mechanism [RFC4616] or the HTTP Basic | |||
| scheme [RFC2617]) or indirectly when provided as the input to a | scheme [RFC2617]) or indirectly when provided as the input to a | |||
| cryptographic algorithm such as a hash function (as in the SASL SCRAM | cryptographic algorithm such as a hash function (as in the SASL SCRAM | |||
| mechanism [RFC5802] or the HTTP Digest scheme [RFC2617]). To | mechanism [RFC5802] or the HTTP Digest scheme [RFC2617]). To | |||
| increase the likelihood that the input and comparison of usernames | increase the likelihood that the input and comparison of usernames | |||
| skipping to change at page 7, line 23 ¶ | skipping to change at page 7, line 23 ¶ | |||
| decisions about case mapping can be a matter of deployment | decisions about case mapping can be a matter of deployment | |||
| policy). | policy). | |||
| If the specification for a SASL mechanism, SASL application protocol, | If the specification for a SASL mechanism, SASL application protocol, | |||
| or non-SASL application protocol specifies the handling of case | or non-SASL application protocol specifies the handling of case | |||
| mapping for strings that conform to the UsernameIdentifierClass, it | mapping for strings that conform to the UsernameIdentifierClass, it | |||
| MUST clearly describe whether case mapping is required, recommended, | MUST clearly describe whether case mapping is required, recommended, | |||
| or optional at the level of the protocol itself, implementations | or optional at the level of the protocol itself, implementations | |||
| thereof, or service deployments. | thereof, or service deployments. | |||
| 4.3. Examples | ||||
| The following examples illustrate a small number of usernames that | ||||
| are consistent with the format defined above (note that the | ||||
| characters < and > are used here to delineate the actual usernames | ||||
| and are not part of the username strings). | ||||
| Table 1: A sample of legal usernames | ||||
| +---------------------------------+---------------------------------+ | ||||
| | # | Username | Notes | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 1 | <juliet> | A userpart only | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 2 | <fussball@example.com> | A userpart and domainpart | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 3 | <fußball@example.com> | The third character is LATIN | | ||||
| | | | SMALL LETTER SHARP S (U+00DF) | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 4 | <π@example.com> | A userpart of GREEK SMALL | | ||||
| | | | LETTER PI (U+03C0) | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 5 | <Σ@example.com> | A userpart of GREEK CAPITAL | | ||||
| | | | LETTER SIGMA (U+03A3) | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 6 | <σ@example.com> | A userpart of GREEK SMALL | | ||||
| | | | LETTER SIGMA (U+03C3) | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 7 | <ς@example.com> | A userpart of GREEK SMALL | | ||||
| | | | LETTER FINAL SIGMA (U+03C2) | | ||||
| +---------------------------------+---------------------------------+ | ||||
| Several points are worth noting. Regarding examples 2 and 3: | ||||
| although in German the character esszett (LATIN SMALL LETTER SHARP S, | ||||
| U+00DF) can mostly be used interchangeably with the two characters | ||||
| "ss", the userparts in these examples are different and (if desired) | ||||
| a server would need to enforce a registration policy that disallows | ||||
| one of them if the other is registered. Regarding examples 5, 6, and | ||||
| 7: optional case-mapping of GREEK CAPITAL LETTER SIGMA (U+03A3) to | ||||
| lowercase (i.e., to GREEK SMALL LETTER SIGMA, U+03C3) during | ||||
| comparison would result in matching the usernames in examples 5 and | ||||
| 6; however, because the PRECIS mapping rules do not account for the | ||||
| special status of GREEK SMALL LETTER FINAL SIGMA (U+03C2), the | ||||
| usernames in examples 5 and 7 or examples 6 and 7 would not be | ||||
| matched. | ||||
| The following examples illustrate strings that are not valid | ||||
| usernames because they violate the format defined above. | ||||
| Table 2: A sample of strings that violate the username rules | ||||
| +---------------------------------+---------------------------------+ | ||||
| | # | Non-Username string | Notes | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 8 | <"juliet"@example.com> | Quotation marks (U+0022) in | | ||||
| | | | userpart | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 9 | <foo bar@example.com> | Space (U+0020) in userpart | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 10| <@example.com> | Zero-length userpart | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 11| <henryⅣ@example.com> | The sixth character is ROMAN | | ||||
| | | | NUMERAL FOUR (U+2163) | | ||||
| +---------------------------------+---------------------------------+ | ||||
| | 12| <♚@example.com> | A localpart of BLACK CHESS KING | | ||||
| | | | (U+265A) | | ||||
| +---------------------------------+---------------------------------+ | ||||
| Here again, several points are worth noting. Regarding example 11, | ||||
| the Unicode character ROMAN NUMERAL FOUR (U+2163) has a compatibility | ||||
| equivalent of the string formed of LATIN CAPITAL LETTER I (U+0049) | ||||
| and LATIN CAPITAL LETTER V (U+0056), but characters with | ||||
| compatibility equivalents are not allowed in the PRECIS | ||||
| IdentiferClass. Regarding example 12: symbol characters such as | ||||
| BLACK CHESS KING (U+265A) are not allowed in the PRECIS | ||||
| IdentifierClass. | ||||
| 5. Passwords | 5. Passwords | |||
| 5.1. Definition | 5.1. Definition | |||
| This document specifies that a password is a string of Unicode code | This document specifies that a password is a string of Unicode code | |||
| points [UNICODE], encoded using UTF-8 [RFC3629], and conformant to | points [UNICODE], encoded using UTF-8 [RFC3629], and conformant to | |||
| the PRECIS FreeformClass. | the PRECIS FreeformClass. | |||
| The syntax for a password is defined as follows using the Augmented | The syntax for a password is defined as follows using the Augmented | |||
| Backus-Naur Form (ABNF) [RFC5234]. | Backus-Naur Form (ABNF) [RFC5234]. | |||
| skipping to change at page 8, line 37 ¶ | skipping to change at page 10, line 45 ¶ | |||
| the way that non-secret strings like domain names and usernames are. | the way that non-secret strings like domain names and usernames are. | |||
| A password MUST NOT be zero bytes in length. This rule is to be | A password MUST NOT be zero bytes in length. This rule is to be | |||
| enforced after any normalization and mapping of code points. | enforced after any normalization and mapping of code points. | |||
| In protocols that provide passwords as input to a cryptographic | In protocols that provide passwords as input to a cryptographic | |||
| algorithm such as a hash function, the client will need to perform | algorithm such as a hash function, the client will need to perform | |||
| proper preparation of the password before applying the algorithm, | proper preparation of the password before applying the algorithm, | |||
| since the password is not available to the server in plaintext form. | since the password is not available to the server in plaintext form. | |||
| 5.3. Examples | ||||
| The following examples illustrate a small number of passwords that | ||||
| are consistent with the format defined above (note that the | ||||
| characters < and > are used here to delineate the actual passwords | ||||
| and are not part of the username strings). | ||||
| Table 3: A sample of legal passwords | ||||
| +------------------------------------+------------------------------+ | ||||
| | # | Password | Notes | | ||||
| +------------------------------------+------------------------------+ | ||||
| | 13| <correct horse battery staple> | ASCII space is allowed | | ||||
| +------------------------------------+------------------------------+ | ||||
| | 14| <Correct Horse Battery Staple> | | | ||||
| +------------------------------------+------------------------------+ | ||||
| | 15| <πßå> | Non-ASCII letters are OK | | ||||
| | | | (e.g., GREEK SMALL LETTER | | ||||
| | | | PI, U+03C0) | | ||||
| +------------------------------------+------------------------------+ | ||||
| | 16| <Jack of ♦s> | Symbols are OK (e.g., BLACK | | ||||
| | | | DIAMOND SUIT, U+2666) | | ||||
| +------------------------------------+------------------------------+ | ||||
| The following examples illustrate strings that are not valid | ||||
| passwords because they violate the format defined above. | ||||
| Table 4: A sample of strings that violate the password rules | ||||
| +------------------------------------+------------------------------+ | ||||
| | # | Password | Notes | | ||||
| +------------------------------------+------------------------------+ | ||||
| | 17| <foo bar> | Non-ASCII space (here, OGHAM | | ||||
| | | | SPACE MARK, U+1680) is not | | ||||
| | | | allowed | | ||||
| +------------------------------------+------------------------------+ | ||||
| | 18| <my cat is a 	by> | Controls are disallowed | | ||||
| +------------------------------------+------------------------------+ | ||||
| 6. Migration | 6. Migration | |||
| The rules defined in this specification differ slightly from those | The rules defined in this specification differ slightly from those | |||
| defined by the SASLprep specification [RFC4013]. The following | defined by the SASLprep specification [RFC4013]. The following | |||
| sections describe these differences, along with their implications | sections describe these differences, along with their implications | |||
| for migration, in more detail. | for migration, in more detail. | |||
| 6.1. Usernames | 6.1. Usernames | |||
| Deployments that currently use SASLprep for handling usernames might | Deployments that currently use SASLprep for handling usernames might | |||
| skipping to change at page 12, line 27 ¶ | skipping to change at page 15, line 27 ¶ | |||
| The security considerations described in [UTS39] apply to the use of | The security considerations described in [UTS39] apply to the use of | |||
| Unicode characters in usernames and passwords. | Unicode characters in usernames and passwords. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-precis-framework] | [I-D.ietf-precis-framework] | |||
| Saint-Andre, P. and M. Blanchet, "Precis Framework: | Saint-Andre, P. and M. Blanchet, "Precis Framework: | |||
| Handling Internationalized Strings in Protocols", | Handling Internationalized Strings in Protocols", | |||
| draft-ietf-precis-framework-10 (work in progress), | draft-ietf-precis-framework-12 (work in progress), | |||
| October 2013. | November 2013. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, November 2003. | 10646", STD 63, RFC 3629, November 2003. | |||
| [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, January 2008. | Specifications: ABNF", STD 68, RFC 5234, January 2008. | |||
| [UNICODE] The Unicode Consortium, "The Unicode Standard, Version | [UNICODE] The Unicode Consortium, "The Unicode Standard, Version | |||
| 6.1", 2012, | 6.1", 2012, | |||
| <http://www.unicode.org/versions/Unicode6.1.0/>. | <http://www.unicode.org/versions/Unicode6.1.0/>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [I-D.ietf-precis-mappings] | [I-D.ietf-precis-mappings] | |||
| Yoneya, Y. and T. NEMOTO, "Mapping characters for PRECIS | Yoneya, Y. and T. NEMOTO, "Mapping characters for PRECIS | |||
| classes", draft-ietf-precis-mappings-04 (work in | classes", draft-ietf-precis-mappings-05 (work in | |||
| progress), October 2013. | progress), October 2013. | |||
| [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20, | [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20, | |||
| October 1969. | October 1969. | |||
| [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
| Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
| Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
| RFC 2617, June 1999. | RFC 2617, June 1999. | |||
| End of changes. 8 change blocks. | ||||
| 26 lines changed or deleted | 144 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||