| < draft-ietf-precis-saslprepbis-08.txt | draft-ietf-precis-saslprepbis-09.txt > | |||
|---|---|---|---|---|
| PRECIS P. Saint-Andre | PRECIS P. Saint-Andre | |||
| Internet-Draft &yet | Internet-Draft &yet | |||
| Obsoletes: 4013 (if approved) A. Melnikov | Obsoletes: 4013 (if approved) A. Melnikov | |||
| Intended status: Standards Track Isode Ltd | Intended status: Standards Track Isode Ltd | |||
| Expires: April 13, 2015 October 10, 2014 | Expires: April 26, 2015 October 23, 2014 | |||
| Preparation and Comparison of Internationalized Strings Representing | Preparation, Enforcement, and Comparison of Internationalized Strings | |||
| Usernames and Passwords | Representing Usernames and Passwords | |||
| draft-ietf-precis-saslprepbis-08 | draft-ietf-precis-saslprepbis-09 | |||
| Abstract | Abstract | |||
| This document describes methods for handling Unicode strings | This document describes methods for handling Unicode strings | |||
| representing usernames and passwords. This document obsoletes RFC | representing usernames and passwords. This document obsoletes RFC | |||
| 4013. | 4013. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 13, 2015. | This Internet-Draft will expire on April 26, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Preparation, Comparison, and Enforcement . . . . . . . . . . 4 | 3. Usernames . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Usernames . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. Definition . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. Definition . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.2. Preparation . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Preparation . . . . . . . . . . . . . . . . . . . . . . . 6 | 3.3. Enforcement . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.3. Enforcement . . . . . . . . . . . . . . . . . . . . . . . 6 | 3.4. Comparison . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.4. Comparison . . . . . . . . . . . . . . . . . . . . . . . 6 | 3.5. Case Mapping . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.5. Case Mapping . . . . . . . . . . . . . . . . . . . . . . 7 | 3.6. Application-Layer Constructs . . . . . . . . . . . . . . 7 | |||
| 4.6. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 | 3.7. Examples . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 4. Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.1. Definition . . . . . . . . . . . . . . . . . . . . . . . 9 | 4.1. Definition . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.2. Preparation . . . . . . . . . . . . . . . . . . . . . . . 10 | 4.2. Preparation . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.3. Enforcement . . . . . . . . . . . . . . . . . . . . . . . 10 | 4.3. Enforcement . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.4. Comparison . . . . . . . . . . . . . . . . . . . . . . . 11 | 4.4. Comparison . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.5. Examples . . . . . . . . . . . . . . . . . . . . . . . . 11 | 4.5. Examples . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. Migration . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 5. Migration . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.1. Usernames . . . . . . . . . . . . . . . . . . . . . . . . 12 | 5.1. Usernames . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.2. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 13 | 5.2. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. UsernameIdentifierClass . . . . . . . . . . . . . . . . . 14 | 6.1. UsernameIdentifierClass . . . . . . . . . . . . . . . . . 14 | |||
| 7.2. PasswordFreeformClass . . . . . . . . . . . . . . . . . . 15 | 6.2. PasswordFreeformClass . . . . . . . . . . . . . . . . . . 15 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 | |||
| 8.1. Password/Passphrase Strength . . . . . . . . . . . . . . 16 | 7.1. Password/Passphrase Strength . . . . . . . . . . . . . . 15 | |||
| 8.2. Identifier Comparison . . . . . . . . . . . . . . . . . . 16 | 7.2. Identifier Comparison . . . . . . . . . . . . . . . . . . 15 | |||
| 8.3. Reuse of PRECIS . . . . . . . . . . . . . . . . . . . . . 16 | 7.3. Reuse of PRECIS . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.4. Reuse of Unicode . . . . . . . . . . . . . . . . . . . . 16 | 7.4. Reuse of Unicode . . . . . . . . . . . . . . . . . . . . 16 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 16 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 17 | 8.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
| Appendix A. Differences from RFC 4013 . . . . . . . . . . . . . 18 | Appendix A. Differences from RFC 4013 . . . . . . . . . . . . . 18 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 19 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 18 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 1. Introduction | 1. Introduction | |||
| Usernames and passwords are widely used for authentication and | Usernames and passwords are widely used for authentication and | |||
| authorization on the Internet, either directly when provided in | authorization on the Internet, either directly when provided in | |||
| plaintext (as in the SASL PLAIN mechanism [RFC4616] or the HTTP Basic | plaintext (as in the SASL PLAIN mechanism [RFC4616] or the HTTP Basic | |||
| scheme [RFC2617]) or indirectly when provided as the input to a | scheme [RFC2617]) or indirectly when provided as the input to a | |||
| cryptographic algorithm such as a hash function (as in the SASL SCRAM | cryptographic algorithm such as a hash function (as in the SASL SCRAM | |||
| mechanism [RFC5802] or the HTTP Digest scheme [RFC2617]). | mechanism [RFC5802] or the HTTP Digest scheme [RFC2617]). | |||
| skipping to change at page 4, line 26 ¶ | skipping to change at page 4, line 26 ¶ | |||
| username in any particular SASL mechanism or application technology | username in any particular SASL mechanism or application technology | |||
| is a matter for implementation and deployment, and that a username | is a matter for implementation and deployment, and that a username | |||
| does not necessarily map to any particular application identifier | does not necessarily map to any particular application identifier | |||
| (such as the localpart of an email address). | (such as the localpart of an email address). | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119]. | [RFC2119]. | |||
| 3. Preparation, Comparison, and Enforcement | 3. Usernames | |||
| This document distinguishes between three different actions that an | ||||
| entity can take in handling a username or password: | ||||
| o Enforcement entails applying all of the rules specified for a | ||||
| particular profile (UsernameIdentifierClass or | ||||
| PasswordFreeformClass) to an individual string. | ||||
| o Comparison entails applying all of the rules specified for a | ||||
| particular profile to two separate strings, for the purpose of | ||||
| determining if the two strings are equivalent. | ||||
| o Preparation entails only ensuring that the characters in an | ||||
| individual string are allowed by the underlying PRECIS base class | ||||
| (IdentifierClass or FreeformClass). | ||||
| In most cases, "servers" are responsible for enforcement and | ||||
| "clients" are responsible only for preparation. Although some | ||||
| information regarding these responsibilities (e.g., the protocol | ||||
| slots in which usernames or passwords can be placed) needs to be | ||||
| provided in specifications that use the profiles defined in this | ||||
| document, the general outlines of such responsibilities are explained | ||||
| in the following sections. | ||||
| 4. Usernames | Detailed rules for the preparation, enforcement, and comparision of | |||
| usernames are provided in the following sections (on the distinction | ||||
| between these actions, refer to [I-D.ietf-precis-framework]). | ||||
| 4.1. Definition | 3.1. Definition | |||
| This document specifies that a username is a string of Unicode code | This document specifies that a username is a string of Unicode code | |||
| points [UNICODE], encoded using UTF-8 [RFC3629], and structured | points [UNICODE], encoded using UTF-8 [RFC3629], and structured | |||
| either as an ordered sequence of "userparts" (where the complete | either as an ordered sequence of "userparts" (where the complete | |||
| username can consist of a single userpart or a space-separated | username can consist of a single userpart or a space-separated | |||
| sequence of userparts) or as a userpart@domainpart (where the | sequence of userparts) or as a userpart@domainpart (where the | |||
| domainpart is an IP literal, an IPv4 address, or a fully-qualified | domainpart is an IP literal, an IPv4 address, or a fully-qualified | |||
| domain name). | domain name). | |||
| The syntax for a username is defined as follows using the Augmented | The syntax for a username is defined as follows using the Augmented | |||
| Backus-Naur Form (ABNF) [RFC5234]. | Backus-Naur Form (ABNF) [RFC5234]. | |||
| username = userpart [1*(1*SP userpart)] | username = userpart [1*(1*SP userpart)] | |||
| / userpart '@' domainpart | userpart = 1*(idbyte) | |||
| userpart = 1*(idpoint) | ||||
| ; | ||||
| ; an "idpoint" is a UTF-8 encoded Unicode code point | ||||
| ; that conforms to the PRECIS "IdentifierClass" | ||||
| ; | ||||
| domainpart = IP-literal / IPv4address / ifqdn | ||||
| ; | ||||
| ; the "IPv4address" and "IP-literal" rules are | ||||
| ; defined in RFC 3986, and the first-match-wins | ||||
| ; (a.k.a. "greedy") algorithm described in RFC 3986 | ||||
| ; applies | ||||
| ; | ||||
| ; reuse of the IP-literal rule from RFC 3986 implies | ||||
| ; that IPv6 addresses are enclosed in square brackets | ||||
| ; (i.e., beginning with '[' and ending with ']') | ||||
| ; | ||||
| ifqdn = 1*1023(domainpoint) | ||||
| ; | ; | |||
| ; a "domainpoint" is a UTF-8 encoded Unicode code | ; an "idbyte" is a byte used to represent a | |||
| ; point that conforms to RFC 5890 | ; UTF-8 encoded Unicode code point that can be | |||
| ; contained in a string that conforms to the | ||||
| ; PRECIS "IdentifierClass" | ||||
| ; | ; | |||
| All code points and blocks not explicitly allowed in the PRECIS | All code points and blocks not explicitly allowed in the PRECIS | |||
| IdentifierClass are disallowed; this includes private use characters, | IdentifierClass are disallowed; this includes private use characters, | |||
| surrogate code points, and the other code points and blocks that were | surrogate code points, and the other code points and blocks that were | |||
| defined as "Prohibited Output" in [RFC4013]. In addition, common | defined as "Prohibited Output" in [RFC4013]. In addition, common | |||
| constructions such as "user@example.com" are allowed as usernames | constructions such as "user@example.com" are allowed as usernames | |||
| under this specification, as they were under [RFC4013]. | under this specification, as they were under [RFC4013]. | |||
| Implementation Note: The username construct defined in this | Implementation Note: The username construct defined in this | |||
| skipping to change at page 6, line 16 ¶ | skipping to change at page 5, line 26 ¶ | |||
| existing SASL mechanisms and SASL-using application protocols, and | existing SASL mechanisms and SASL-using application protocols, and | |||
| even in most application protocols that do not currently use SASL. | even in most application protocols that do not currently use SASL. | |||
| A username MUST NOT be zero bytes in length. This rule is to be | A username MUST NOT be zero bytes in length. This rule is to be | |||
| enforced after any normalization and mapping of code points. | enforced after any normalization and mapping of code points. | |||
| In protocols that provide usernames as input to a cryptographic | In protocols that provide usernames as input to a cryptographic | |||
| algorithm such as a hash function, the client will need to perform | algorithm such as a hash function, the client will need to perform | |||
| proper preparation of the username before applying the algorithm. | proper preparation of the username before applying the algorithm. | |||
| 4.2. Preparation | 3.2. Preparation | |||
| An entity that prepares a string for inclusion in a username slot | An entity that prepares a string for inclusion in a username slot | |||
| MUST ensure that the string consists only of Unicode code points that | MUST ensure that the string consists only of Unicode code points that | |||
| conform to the "IdentifierClass" base string class defined in | conform to the "IdentifierClass" base string class defined in | |||
| [I-D.ietf-precis-framework]. In addition, the string MUST be encoded | [I-D.ietf-precis-framework]. In addition, the string MUST be encoded | |||
| as UTF-8 [RFC3629]. | as UTF-8 [RFC3629]. | |||
| 4.3. Enforcement | 3.3. Enforcement | |||
| An entity that performs enforcement in username slots MUST prepare a | An entity that performs enforcement in username slots MUST prepare a | |||
| string as described in the previous section and MUST also apply the | string as described in the previous section and MUST also apply the | |||
| rules specified below for the UsernameIdentifierClass profile (these | rules specified below for the UsernameIdentifierClass profile (these | |||
| rules MUST be applied in the order shown). | rules MUST be applied in the order shown). | |||
| 1. Width Mapping Rule: Fullwidth and halfwidth characters MUST be | 1. Width Mapping Rule: Fullwidth and halfwidth characters MUST be | |||
| mapped to their decomposition mappings. | mapped to their decomposition mappings. | |||
| 2. Additional Mapping Rule: There is no additional mapping rule. | 2. Additional Mapping Rule: There is no additional mapping rule. | |||
| 3. Case Mapping Rule: There is no case mapping rule (although see | 3. Case Mapping Rule: There is no case mapping rule (although see | |||
| Section 4.5 below). | Section 3.5 below). | |||
| 4. Normalization Rule: Unicode Normalization Form C (NFC) MUST be | 4. Normalization Rule: Unicode Normalization Form C (NFC) MUST be | |||
| applied to all characters. | applied to all characters. | |||
| 5. Exclusion Rule: There is no exclusion rule. | 5. Exclusion Rule: There is no exclusion rule. | |||
| 6. Directionality Rule: The "Bidi Rule" provided in [RFC5893] | 6. Directionaity Rule: Applications MUST apply the "Bidi Rule" | |||
| applies. | defined in [RFC5893] (i.e., each of the six conditions of the | |||
| Bidi Rule must be satisfied). | ||||
| 4.4. Comparison | 3.4. Comparison | |||
| An entity that performs comparison of two strings before or after | An entity that performs comparison of two strings before or after | |||
| their inclusion in username slots MUST prepare each string and | their inclusion in username slots MUST prepare each string and | |||
| enforce the rules specified in the previous two sections. The two | enforce the rules specified in the previous two sections. The two | |||
| strings are to be considered equivalent if they are an exact octet- | strings are to be considered equivalent if they are an exact octet- | |||
| for-octet match (sometimes called "bit-string identity"). | for-octet match (sometimes called "bit-string identity"). | |||
| 4.5. Case Mapping | 3.5. Case Mapping | |||
| Case mapping is a matter for the application protocol, protocol | Case mapping is a matter for the application protocol, protocol | |||
| implementation, or end deployment. In general, this document | implementation, or end deployment. In general, this document | |||
| suggests that it is preferable to perform case mapping, since not | suggests that it is preferable to perform case mapping, since not | |||
| doing so can lead to false positives during authentication and | doing so can lead to false positives during authentication and | |||
| authorization (as described in [RFC6943]) and can result in confusion | authorization (as described in [RFC6943]) and can result in confusion | |||
| among end users given the prevalence of case mapping in many existing | among end users given the prevalence of case mapping in many existing | |||
| protocols and applications. However, there can be good reasons to | protocols and applications. However, there can be good reasons to | |||
| not perform case mapping, such as backward compatibility with | not perform case mapping, such as backward compatibility with | |||
| deployed infrastructure. | deployed infrastructure. | |||
| skipping to change at page 8, line 12 ¶ | skipping to change at page 7, line 23 ¶ | |||
| decisions about case mapping can be a matter of deployment | decisions about case mapping can be a matter of deployment | |||
| policy). | policy). | |||
| If the specification for a SASL mechanism, SASL application protocol, | If the specification for a SASL mechanism, SASL application protocol, | |||
| or non-SASL application protocol specifies the handling of case | or non-SASL application protocol specifies the handling of case | |||
| mapping for strings that conform to the UsernameIdentifierClass, it | mapping for strings that conform to the UsernameIdentifierClass, it | |||
| MUST clearly describe whether case mapping is required, recommended, | MUST clearly describe whether case mapping is required, recommended, | |||
| or optional at the level of the protocol itself, implementations | or optional at the level of the protocol itself, implementations | |||
| thereof, or service deployments. | thereof, or service deployments. | |||
| 4.6. Examples | 3.6. Application-Layer Constructs | |||
| The following examples illustrate a small number of usernames that | The username rule allows an application protocol, implementation, or | |||
| are consistent with the format defined above (note that the | deployment to create application-layer constructs such as | |||
| characters < and > are used here to delineate the actual usernames | "user@domain" or "Firstname Middlename Lastname" (e.g., because the | |||
| and are not part of the username strings). | PRECIS IdentifierClass allows any ASCII7 character, because spaces | |||
| can be used to separate userpart instances, and because domain names | ||||
| as specified in [RFC5890] and [RFC5892] are a subset of the PRECIS | ||||
| IdentifierClass). | ||||
| Table 1: A sample of legal usernames | 3.7. Examples | |||
| +---------------------------------+---------------------------------+ | The following examples illustrate a small number of userparts (not | |||
| | # | Username | Notes | | usernames) that are consistent with the format defined above (note | |||
| +---------------------------------+---------------------------------+ | that the characters < and > are used here to delineate the actual | |||
| | 1 | <juliet> | A userpart only | | userparts and are not part of the userpart strings). | |||
| +---------------------------------+---------------------------------+ | ||||
| | 2 | <fussball@example.com> | A userpart and domainpart | | Table 1: A sample of legal userparts | |||
| +---------------------------------+---------------------------------+ | ||||
| | 3 | <fußball@example.com> | The third character is LATIN | | +--------------------------+---------------------------------+ | |||
| | | | SMALL LETTER SHARP S (U+00DF) | | | # | Userpart | Notes | | |||
| +---------------------------------+---------------------------------+ | +--------------------------+---------------------------------+ | |||
| | 4 | <π@example.com> | A userpart of GREEK SMALL | | | 1 | <juliet@example.com> | The at-sign is allowed in the | | |||
| | | | LETTER PI (U+03C0) | | | | | PRECIS IdentifierClass | | |||
| +---------------------------------+---------------------------------+ | +--------------------------+---------------------------------+ | |||
| | 5 | <Σ@example.com> | A userpart of GREEK CAPITAL | | | 2 | <fussball> | | | |||
| | | | LETTER SIGMA (U+03A3) | | +--------------------------+---------------------------------+ | |||
| +---------------------------------+---------------------------------+ | | 3 | <fußball> | The third character is LATIN | | |||
| | 6 | <σ@example.com> | A userpart of GREEK SMALL | | | | | SMALL LETTER SHARP S (U+00DF) | | |||
| | | | LETTER SIGMA (U+03C3) | | +--------------------------+---------------------------------+ | |||
| +---------------------------------+---------------------------------+ | | 4 | <π> | A userpart of GREEK SMALL | | |||
| | 7 | <ς@example.com> | A userpart of GREEK SMALL | | | | | LETTER PI (U+03C0) | | |||
| | | | LETTER FINAL SIGMA (U+03C2) | | +--------------------------+---------------------------------+ | |||
| +---------------------------------+---------------------------------+ | | 5 | <Σ> | A userpart of GREEK CAPITAL | | |||
| | | | LETTER SIGMA (U+03A3) | | ||||
| +--------------------------+---------------------------------+ | ||||
| | 6 | <σ> | A userpart of GREEK SMALL | | ||||
| | | | LETTER SIGMA (U+03C3) | | ||||
| +--------------------------+---------------------------------+ | ||||
| | 7 | <ς> | A userpart of GREEK SMALL | | ||||
| | | | LETTER FINAL SIGMA (U+03C2) | | ||||
| +--------------------------+---------------------------------+ | ||||
| Several points are worth noting. Regarding examples 2 and 3: | Several points are worth noting. Regarding examples 2 and 3: | |||
| although in German the character esszett (LATIN SMALL LETTER SHARP S, | although in German the character esszett (LATIN SMALL LETTER SHARP S, | |||
| U+00DF) can mostly be used interchangeably with the two characters | U+00DF) can mostly be used interchangeably with the two characters | |||
| "ss", the userparts in these examples are different and (if desired) | "ss", the userparts in these examples are different and (if desired) | |||
| a server would need to enforce a registration policy that disallows | a server would need to enforce a registration policy that disallows | |||
| one of them if the other is registered. Regarding examples 5, 6, and | one of them if the other is registered. Regarding examples 5, 6, and | |||
| 7: optional case-mapping of GREEK CAPITAL LETTER SIGMA (U+03A3) to | 7: optional case-mapping of GREEK CAPITAL LETTER SIGMA (U+03A3) to | |||
| lowercase (i.e., to GREEK SMALL LETTER SIGMA, U+03C3) during | lowercase (i.e., to GREEK SMALL LETTER SIGMA, U+03C3) during | |||
| comparison would result in matching the usernames in examples 5 and | comparison would result in matching the userparts in examples 5 and | |||
| 6; however, because the PRECIS mapping rules do not account for the | 6; however, because the PRECIS mapping rules do not account for the | |||
| special status of GREEK SMALL LETTER FINAL SIGMA (U+03C2), the | special status of GREEK SMALL LETTER FINAL SIGMA (U+03C2), the | |||
| usernames in examples 5 and 7 or examples 6 and 7 would not be | userparts in examples 5 and 7 or examples 6 and 7 would not be | |||
| matched. | matched. | |||
| The following examples illustrate strings that are not valid | The following examples illustrate strings that are not valid | |||
| usernames because they violate the format defined above. | userparts (not usernames) because they violate the format defined | |||
| above. | ||||
| Table 2: A sample of strings that violate the username rules | Table 2: A sample of strings that violate the userpart rule | |||
| +---------------------------------+---------------------------------+ | +--------------------------+---------------------------------+ | |||
| | # | Non-Username string | Notes | | | # | Non-Userpart string | Notes | | |||
| +---------------------------------+---------------------------------+ | +--------------------------+---------------------------------+ | |||
| | 8 | <"juliet"@example.com> | Quotation marks (U+0022) in | | | 8 | <foo bar> | Space (U+0020) is disallowed in | | |||
| | | | userpart | | | | | the userpart | | |||
| +---------------------------------+---------------------------------+ | +--------------------------+---------------------------------+ | |||
| | 9 | <foo bar@example.com> | Space (U+0020) in userpart | | | 9 | <> | Zero-length userpart | | |||
| +---------------------------------+---------------------------------+ | +--------------------------+---------------------------------+ | |||
| | 10| <@example.com> | Zero-length userpart | | | 10| <henryⅣ> | The sixth character is ROMAN | | |||
| +---------------------------------+---------------------------------+ | | | | NUMERAL FOUR (U+2163) | | |||
| | 11| <henryⅣ@example.com> | The sixth character is ROMAN | | +--------------------------+---------------------------------+ | |||
| | | | NUMERAL FOUR (U+2163) | | | 11| <♚> | A localpart of BLACK CHESS KING | | |||
| +---------------------------------+---------------------------------+ | | | | (U+265A) | | |||
| | 12| <♚@example.com> | A localpart of BLACK CHESS KING | | +--------------------------+---------------------------------+ | |||
| | | | (U+265A) | | ||||
| +---------------------------------+---------------------------------+ | ||||
| Here again, several points are worth noting. Regarding example 11, | Here again, several points are worth noting. Regarding example 10, | |||
| the Unicode character ROMAN NUMERAL FOUR (U+2163) has a compatibility | the Unicode character ROMAN NUMERAL FOUR (U+2163) has a compatibility | |||
| equivalent of the string formed of LATIN CAPITAL LETTER I (U+0049) | equivalent of the string formed of LATIN CAPITAL LETTER I (U+0049) | |||
| and LATIN CAPITAL LETTER V (U+0056), but characters with | and LATIN CAPITAL LETTER V (U+0056), but characters with | |||
| compatibility equivalents are not allowed in the PRECIS | compatibility equivalents are not allowed in the PRECIS | |||
| IdentiferClass. Regarding example 12: symbol characters such as | IdentiferClass. Regarding example 11: symbol characters such as | |||
| BLACK CHESS KING (U+265A) are not allowed in the PRECIS | BLACK CHESS KING (U+265A) are not allowed in the PRECIS | |||
| IdentifierClass. | IdentifierClass. | |||
| 5. Passwords | 4. Passwords | |||
| 5.1. Definition | Detailed rules for the preparation, enforcement, and comparision of | |||
| passwords are provided in the following sections (on the distinction | ||||
| between these actions, refer to [I-D.ietf-precis-framework]). | ||||
| 4.1. Definition | ||||
| This document specifies that a password is a string of Unicode code | This document specifies that a password is a string of Unicode code | |||
| points [UNICODE], encoded using UTF-8 [RFC3629], and conformant to | points [UNICODE], encoded using UTF-8 [RFC3629], and conformant to | |||
| the PRECIS FreeformClass. | the PRECIS FreeformClass. | |||
| The syntax for a password is defined as follows using the Augmented | The syntax for a password is defined as follows using the Augmented | |||
| Backus-Naur Form (ABNF) [RFC5234]. | Backus-Naur Form (ABNF) [RFC5234]. | |||
| password = 1*(freepoint) | password = 1*(freepoint) | |||
| ; | ; | |||
| skipping to change at page 10, line 25 ¶ | skipping to change at page 10, line 18 ¶ | |||
| as "Prohibited Output" in Section 2.3 of RFC 4013. | as "Prohibited Output" in Section 2.3 of RFC 4013. | |||
| A password MUST NOT be zero bytes in length. This rule is to be | A password MUST NOT be zero bytes in length. This rule is to be | |||
| enforced after any normalization and mapping of code points. | enforced after any normalization and mapping of code points. | |||
| In protocols that provide passwords as input to a cryptographic | In protocols that provide passwords as input to a cryptographic | |||
| algorithm such as a hash function, the client will need to perform | algorithm such as a hash function, the client will need to perform | |||
| proper preparation of the password before applying the algorithm, | proper preparation of the password before applying the algorithm, | |||
| since the password is not available to the server in plaintext form. | since the password is not available to the server in plaintext form. | |||
| 5.2. Preparation | 4.2. Preparation | |||
| An entity that prepares a string for inclusion in a password slot | An entity that prepares a string for inclusion in a password slot | |||
| MUST ensure that the string consists only of Unicode code points that | MUST ensure that the string consists only of Unicode code points that | |||
| conform to the "FreeformClass" base string class defined in | conform to the "FreeformClass" base string class defined in | |||
| [I-D.ietf-precis-framework]. In addition, the string MUST be encoded | [I-D.ietf-precis-framework]. In addition, the string MUST be encoded | |||
| as UTF-8 [RFC3629]. | as UTF-8 [RFC3629]. | |||
| 5.3. Enforcement | 4.3. Enforcement | |||
| An entity that performs enforcement in password slots MUST prepare a | An entity that performs enforcement in password slots MUST prepare a | |||
| string as described in the previous section and MUST also apply the | string as described in the previous section and MUST also apply the | |||
| rules specified below for the PasswordFreeformClass (these rules MUST | rules specified below for the PasswordFreeformClass (these rules MUST | |||
| be applied in the order shown). | be applied in the order shown). | |||
| 1. Width Mapping Rule: Fullwidth and halfwidth characters MUST NOT | 1. Width Mapping Rule: Fullwidth and halfwidth characters MUST NOT | |||
| be mapped to their decomposition mappings. | be mapped to their decomposition mappings. | |||
| 2. Additional Mapping Rule: Any instances of non-ASCII space MUST be | 2. Additional Mapping Rule: Any instances of non-ASCII space MUST be | |||
| skipping to change at page 11, line 10 ¶ | skipping to change at page 10, line 51 ¶ | |||
| U+3000 IDEOGRAPHIC SPACE). | U+3000 IDEOGRAPHIC SPACE). | |||
| 3. Case Mapping Rule: Uppercase and titlecase characters MUST NOT be | 3. Case Mapping Rule: Uppercase and titlecase characters MUST NOT be | |||
| mapped to their lowercase equivalents. | mapped to their lowercase equivalents. | |||
| 4. Normalization Rule: Unicode Normalization Form C (NFC) MUST be | 4. Normalization Rule: Unicode Normalization Form C (NFC) MUST be | |||
| applied to all characters. | applied to all characters. | |||
| 5. Exclusion Rule: There is no exclusion rule. | 5. Exclusion Rule: There is no exclusion rule. | |||
| 6. Directionality Rule: There is no directionality rule. | 6. Directionality Rule: There is no directionality rule. The "Bidi | |||
| Rule" (defined in [RFC5893]) and similar rules are unnecessary | ||||
| With regard to directionality, the "Bidi Rule" (defined in [RFC5893]) | and inapplicable to passwords, since they can reduce the range of | |||
| and similar rules are unnecessary and inapplicable to passwords, | characters that are allowed in a string and therefore reduce the | |||
| since they can reduce the range of characters that are allowed in a | amount of entropy that is possible in a password. Furthermore, | |||
| string and therefore reduce the amount of entropy that is possible in | such rules are intended to minimize the possibility that the same | |||
| a password. Furthermore, such rules are intended to minimize the | string will be displayed differently on a system set for right- | |||
| possibility that the same string will be displayed differently on a | to-left display and a system set for left-to-right display; | |||
| system set for right-to-left display and a system set for left-to- | however, passwords are typically not displayed at all and are | |||
| right display; however, passwords are typically not displayed at all | rarely meant to be interoperable across different systems in the | |||
| and are rarely meant to be interoperable across different systems in | way that non-secret strings like domain names and usernames are. | |||
| the way that non-secret strings like domain names and usernames are. | ||||
| 5.4. Comparison | 4.4. Comparison | |||
| An entity that performs comparison of two strings before or after | An entity that performs comparison of two strings before or after | |||
| their inclusion in password slots MUST prepare each string and | their inclusion in password slots MUST prepare each string and | |||
| enforce the rules specified in the previous two sections. The two | enforce the rules specified in the previous two sections. The two | |||
| strings are to be considered equivalent if they are an exact octet- | strings are to be considered equivalent if they are an exact octet- | |||
| for-octet match (sometimes called "bit-string identity"). | for-octet match (sometimes called "bit-string identity"). | |||
| 5.5. Examples | 4.5. Examples | |||
| The following examples illustrate a small number of passwords that | The following examples illustrate a small number of passwords that | |||
| are consistent with the format defined above (note that the | are consistent with the format defined above (note that the | |||
| characters < and > are used here to delineate the actual passwords | characters < and > are used here to delineate the actual passwords | |||
| and are not part of the username strings). | and are not part of the username strings). | |||
| Table 3: A sample of legal passwords | Table 3: A sample of legal passwords | |||
| +------------------------------------+------------------------------+ | +------------------------------------+------------------------------+ | |||
| | # | Password | Notes | | | # | Password | Notes | | |||
| skipping to change at page 12, line 37 ¶ | skipping to change at page 12, line 17 ¶ | |||
| +------------------------------------+------------------------------+ | +------------------------------------+------------------------------+ | |||
| | # | Password | Notes | | | # | Password | Notes | | |||
| +------------------------------------+------------------------------+ | +------------------------------------+------------------------------+ | |||
| | 17| <foo bar> | Non-ASCII space (here, OGHAM | | | 17| <foo bar> | Non-ASCII space (here, OGHAM | | |||
| | | | SPACE MARK, U+1680) is not | | | | | SPACE MARK, U+1680) is not | | |||
| | | | allowed | | | | | allowed | | |||
| +------------------------------------+------------------------------+ | +------------------------------------+------------------------------+ | |||
| | 18| <my cat is a 	by> | Controls are disallowed | | | 18| <my cat is a 	by> | Controls are disallowed | | |||
| +------------------------------------+------------------------------+ | +------------------------------------+------------------------------+ | |||
| 6. Migration | 5. Migration | |||
| The rules defined in this specification differ slightly from those | The rules defined in this specification differ slightly from those | |||
| defined by the SASLprep specification [RFC4013]. The following | defined by the SASLprep specification [RFC4013]. The following | |||
| sections describe these differences, along with their implications | sections describe these differences, along with their implications | |||
| for migration, in more detail. | for migration, in more detail. | |||
| 6.1. Usernames | 5.1. Usernames | |||
| Deployments that currently use SASLprep for handling usernames might | Deployments that currently use SASLprep for handling usernames might | |||
| need to scrub existing data when migrating to use of the rules | need to scrub existing data when migrating to use of the rules | |||
| defined in this specification. In particular: | defined in this specification. In particular: | |||
| o SASLprep specified the use of Unicode Normalization Form KC | o SASLprep specified the use of Unicode Normalization Form KC | |||
| (NFKC), whereas this usage of the PRECIS IdentifierClass employs | (NFKC), whereas this usage of the PRECIS IdentifierClass employs | |||
| Unicode Normalization Form C (NFC). In practice this change is | Unicode Normalization Form C (NFC). In practice this change is | |||
| unlikely to cause significant problems, because NFKC provides | unlikely to cause significant problems, because NFKC provides | |||
| methods for mapping Unicode code points with compatibility | methods for mapping Unicode code points with compatibility | |||
| skipping to change at page 13, line 45 ¶ | skipping to change at page 13, line 25 ¶ | |||
| o SASLprep allowed uppercase and titlecase characters, whereas this | o SASLprep allowed uppercase and titlecase characters, whereas this | |||
| usage of the PRECIS IdentifierClass maps uppercase and titlecase | usage of the PRECIS IdentifierClass maps uppercase and titlecase | |||
| characters to their lowercase equivalents. For migration | characters to their lowercase equivalents. For migration | |||
| purposes, deployments can either convert uppercase and titlecase | purposes, deployments can either convert uppercase and titlecase | |||
| characters to their lowercase equivalents in usernames (thus | characters to their lowercase equivalents in usernames (thus | |||
| losing the case information) or preserve uppercase and titlecase | losing the case information) or preserve uppercase and titlecase | |||
| characters and ignore the case difference when comparing | characters and ignore the case difference when comparing | |||
| usernames. | usernames. | |||
| 6.2. Passwords | 5.2. Passwords | |||
| Depending on local service policy, migration from RFC 4013 to this | Depending on local service policy, migration from RFC 4013 to this | |||
| specification might not involve any scrubbing of data (since | specification might not involve any scrubbing of data (since | |||
| passwords might not be stored in the clear anyway); however, service | passwords might not be stored in the clear anyway); however, service | |||
| providers need to be aware of possible issues that might arise during | providers need to be aware of possible issues that might arise during | |||
| migration. In particular: | migration. In particular: | |||
| o SASLprep specified the use of Unicode Normalization Form KC | o SASLprep specified the use of Unicode Normalization Form KC | |||
| (NFKC), whereas this usage of the PRECIS FreeformClass employs | (NFKC), whereas this usage of the PRECIS FreeformClass employs | |||
| Unicode Normalization Form C (NFC). Because NFKC is more | Unicode Normalization Form C (NFC). Because NFKC is more | |||
| skipping to change at page 14, line 36 ¶ | skipping to change at page 14, line 16 ¶ | |||
| Appendix B.1 of [RFC3454]) to nothing, whereas the PRECIS | Appendix B.1 of [RFC3454]) to nothing, whereas the PRECIS | |||
| FreeformClass entirely disallows such characters, which correspond | FreeformClass entirely disallows such characters, which correspond | |||
| to the code points from the "M" category defined under | to the code points from the "M" category defined under | |||
| Section 6.13 of [I-D.ietf-precis-framework] (with the exception of | Section 6.13 of [I-D.ietf-precis-framework] (with the exception of | |||
| U+1806 MONGOLIAN TODO SOFT HYPHEN, which was commonly mapped to | U+1806 MONGOLIAN TODO SOFT HYPHEN, which was commonly mapped to | |||
| nothing in Unicode 3.2 but at the time of this writing is allowed | nothing in Unicode 3.2 but at the time of this writing is allowed | |||
| by Unicode 6.2). In practice, this change will probably have no | by Unicode 6.2). In practice, this change will probably have no | |||
| effect on comparison, but user-oriented software might reject such | effect on comparison, but user-oriented software might reject such | |||
| code points instead of ignoring them during password preparation. | code points instead of ignoring them during password preparation. | |||
| 7. IANA Considerations | 6. IANA Considerations | |||
| The IANA shall add the following entries to the PRECIS Profiles | The IANA shall add the following entries to the PRECIS Profiles | |||
| Registry. | Registry. | |||
| 7.1. UsernameIdentifierClass | 6.1. UsernameIdentifierClass | |||
| Name: UsernameIdentifierClass. | Name: UsernameIdentifierClass. | |||
| Applicability: Usernames in security and application protocols. | Applicability: Usernames in security and application protocols. | |||
| Base Class: IdentifierClass. | Base Class: IdentifierClass. | |||
| Replaces: The SASLprep profile of Stringprep. | Replaces: The SASLprep profile of Stringprep. | |||
| Width Mapping Rule: Map fullwidth and halfwidth characters to their | Width Mapping Rule: Map fullwidth and halfwidth characters to their | |||
| skipping to change at page 15, line 22 ¶ | skipping to change at page 15, line 5 ¶ | |||
| Exclusion Rule: None. | Exclusion Rule: None. | |||
| Directionality Rule: The "Bidi Rule" defined in RFC 5893 applies. | Directionality Rule: The "Bidi Rule" defined in RFC 5893 applies. | |||
| Enforcement: To be defined by security or application protocols that | Enforcement: To be defined by security or application protocols that | |||
| use this profile. | use this profile. | |||
| Specification: RFC XXXX. [Note to RFC Editor: please change XXXX to | Specification: RFC XXXX. [Note to RFC Editor: please change XXXX to | |||
| the number issued for this specification.] | the number issued for this specification.] | |||
| 7.2. PasswordFreeformClass | 6.2. PasswordFreeformClass | |||
| Name: PasswordFreeformClass. | Name: PasswordFreeformClass. | |||
| Applicability: Passwords in security and application protocols. | Applicability: Passwords in security and application protocols. | |||
| Base Class: FreeformClass | Base Class: FreeformClass | |||
| Replaces: The SASLprep profile of Stringprep. | Replaces: The SASLprep profile of Stringprep. | |||
| Width Mapping Rule: None. | Width Mapping Rule: None. | |||
| skipping to change at page 16, line 5 ¶ | skipping to change at page 15, line 34 ¶ | |||
| Exclusion Rule: None. | Exclusion Rule: None. | |||
| Directionality Rule: None. | Directionality Rule: None. | |||
| Enforcement: To be defined by security or application protocols that | Enforcement: To be defined by security or application protocols that | |||
| use this profile. | use this profile. | |||
| Specification: RFC XXXX. [Note to RFC Editor: please change XXXX to | Specification: RFC XXXX. [Note to RFC Editor: please change XXXX to | |||
| the number issued for this specification.] | the number issued for this specification.] | |||
| 8. Security Considerations | 7. Security Considerations | |||
| 8.1. Password/Passphrase Strength | 7.1. Password/Passphrase Strength | |||
| The ability to include a wide range of characters in passwords and | The ability to include a wide range of characters in passwords and | |||
| passphrases can increase the potential for creating a strong password | passphrases can increase the potential for creating a strong password | |||
| with high entropy. However, in practice, the ability to include such | with high entropy. However, in practice, the ability to include such | |||
| characters ought to be weighed against the possible need to reproduce | characters ought to be weighed against the possible need to reproduce | |||
| them on various devices using various input methods. | them on various devices using various input methods. | |||
| 8.2. Identifier Comparison | 7.2. Identifier Comparison | |||
| The process of comparing identifiers (such as SASL simple user names, | The process of comparing identifiers (such as SASL simple user names, | |||
| authentication identifiers, and authorization identifiers) can lead | authentication identifiers, and authorization identifiers) can lead | |||
| to either false negatives or false positives, both of which have | to either false negatives or false positives, both of which have | |||
| security implications. A more detailed discussion can be found in | security implications. A more detailed discussion can be found in | |||
| [RFC6943]. | [RFC6943]. | |||
| 8.3. Reuse of PRECIS | 7.3. Reuse of PRECIS | |||
| The security considerations described in [I-D.ietf-precis-framework] | The security considerations described in [I-D.ietf-precis-framework] | |||
| apply to the "IdentifierClass" and "FreeformClass" base string | apply to the "IdentifierClass" and "FreeformClass" base string | |||
| classes used in this document for usernames and passwords, | classes used in this document for usernames and passwords, | |||
| respectively. | respectively. | |||
| 8.4. Reuse of Unicode | 7.4. Reuse of Unicode | |||
| The security considerations described in [UTS39] apply to the use of | The security considerations described in [UTS39] apply to the use of | |||
| Unicode characters in usernames and passwords. | Unicode characters in usernames and passwords. | |||
| 9. References | 8. References | |||
| 9.1. Normative References | 8.1. Normative References | |||
| [I-D.ietf-precis-framework] | [I-D.ietf-precis-framework] | |||
| Saint-Andre, P. and M. Blanchet, "Precis Framework: | Saint-Andre, P. and M. Blanchet, "Precis Framework: | |||
| Handling Internationalized Strings in Protocols", draft- | Handling Internationalized Strings in Protocols", draft- | |||
| ietf-precis-framework-18 (work in progress), September | ietf-precis-framework-19 (work in progress), October 2014. | |||
| 2014. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, November 2003. | 10646", STD 63, RFC 3629, November 2003. | |||
| [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, January 2008. | Specifications: ABNF", STD 68, RFC 5234, January 2008. | |||
| [UNICODE] The Unicode Consortium, "The Unicode Standard, Version | [UNICODE] The Unicode Consortium, "The Unicode Standard, Version | |||
| 6.3", 2013, | 6.3", 2013, | |||
| <http://www.unicode.org/versions/Unicode6.3.0/>. | <http://www.unicode.org/versions/Unicode6.3.0/>. | |||
| 9.2. Informative References | 8.2. Informative References | |||
| [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20, | [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20, | |||
| October 1969. | October 1969. | |||
| [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
| Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
| Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
| RFC 2617, June 1999. | RFC 2617, June 1999. | |||
| [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of | [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of | |||
| skipping to change at page 17, line 47 ¶ | skipping to change at page 17, line 29 ¶ | |||
| "Salted Challenge Response Authentication Mechanism | "Salted Challenge Response Authentication Mechanism | |||
| (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010. | (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010. | |||
| [RFC5890] Klensin, J., "Internationalized Domain Names for | [RFC5890] Klensin, J., "Internationalized Domain Names for | |||
| Applications (IDNA): Definitions and Document Framework", | Applications (IDNA): Definitions and Document Framework", | |||
| RFC 5890, August 2010. | RFC 5890, August 2010. | |||
| [RFC5891] Klensin, J., "Internationalized Domain Names in | [RFC5891] Klensin, J., "Internationalized Domain Names in | |||
| Applications (IDNA): Protocol", RFC 5891, August 2010. | Applications (IDNA): Protocol", RFC 5891, August 2010. | |||
| [RFC5892] Faltstrom, P., "The Unicode Code Points and | ||||
| Internationalized Domain Names for Applications (IDNA)", | ||||
| RFC 5892, August 2010. | ||||
| [RFC5893] Alvestrand, H. and C. Karp, "Right-to-Left Scripts for | [RFC5893] Alvestrand, H. and C. Karp, "Right-to-Left Scripts for | |||
| Internationalized Domain Names for Applications (IDNA)", | Internationalized Domain Names for Applications (IDNA)", | |||
| RFC 5893, August 2010. | RFC 5893, August 2010. | |||
| [RFC5894] Klensin, J., "Internationalized Domain Names for | [RFC5894] Klensin, J., "Internationalized Domain Names for | |||
| Applications (IDNA): Background, Explanation, and | Applications (IDNA): Background, Explanation, and | |||
| Rationale", RFC 5894, August 2010. | Rationale", RFC 5894, August 2010. | |||
| [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence | [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence | |||
| Protocol (XMPP): Core", RFC 6120, March 2011. | Protocol (XMPP): Core", RFC 6120, March 2011. | |||
| skipping to change at page 18, line 46 ¶ | skipping to change at page 18, line 32 ¶ | |||
| The following substantive modifications were made from RFC 4013. | The following substantive modifications were made from RFC 4013. | |||
| o A single SASLprep algorithm was replaced by two separate | o A single SASLprep algorithm was replaced by two separate | |||
| algorithms: one for usernames and another for passwords. | algorithms: one for usernames and another for passwords. | |||
| o The new preparation algorithms use PRECIS instead of a stringprep | o The new preparation algorithms use PRECIS instead of a stringprep | |||
| profile. The new algorithms work independenctly of Unicode | profile. The new algorithms work independenctly of Unicode | |||
| versions. | versions. | |||
| o As recommended in the PRECIS framwork, changed the Unicode | o As recommended in the PRECIS framework, changed the Unicode | |||
| normalization form from NFKC to NFC. | normalization form from NFKC to NFC. | |||
| o Some Unicode code points that were mapped to nothing in RFC 4013 | o Some Unicode code points that were mapped to nothing in RFC 4013 | |||
| are simply disallowed by PRECIS. | are simply disallowed by PRECIS. | |||
| Appendix B. Acknowledgements | Appendix B. Acknowledgements | |||
| The following individuals provided helpful feedback on this document: | The following individuals provided helpful feedback on this document: | |||
| Marc Blanchet, Alan DeKok, Joe Hildebrand, Jeffrey Hutzelman, Simon | Marc Blanchet, Alan DeKok, Joe Hildebrand, Jeffrey Hutzelman, Simon | |||
| Josefsson, Jonathan Lennox, Matt Miller, Chris Newman, Yutaka OIWA, | Josefsson, Jonathan Lennox, Matt Miller, Chris Newman, Yutaka OIWA, | |||
| Pete Resnick, Andrew Sullivan, and Nico Williams. Nico in particular | Pete Resnick, Andrew Sullivan, and Nico Williams. Nico in particular | |||
| deserves special recognition for providing text that was used in | deserves special recognition for providing text that was used in | |||
| Section 4.5. Thanks also to Yoshiro YONEYA and Takahiro NEMOTO for | Section 3.5. Thanks also to Yoshiro YONEYA and Takahiro NEMOTO for | |||
| implementation feedback. | implementation feedback. | |||
| This document borrows some text from [RFC4013] and [RFC6120]. | This document borrows some text from [RFC4013] and [RFC6120]. | |||
| Authors' Addresses | Authors' Addresses | |||
| Peter Saint-Andre | Peter Saint-Andre | |||
| &yet | &yet | |||
| Email: peter@andyet.com | Email: peter@andyet.com | |||
| End of changes. 52 change blocks. | ||||
| 173 lines changed or deleted | 154 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||