idnits 2.17.1 draft-ietf-ldapbis-strprep-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 20. -- Found old boilerplate from RFC 3978, Section 5.5 on line 605. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 576. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 583. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 589. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 593), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 37. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There is 1 instance of too long lines in the document, the longest one being 3 characters in excess of 72. ** The abstract seems to contain references ([CONTROLCHARACTERS], [RFC2119], [CharModel], [Unicode], [Glossary]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (23 January 2006) is 6668 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'UNICODE' is mentioned on line 150, but not defined == Missing Reference: 'RFC3377' is mentioned on line 158, but not defined ** Obsolete undefined reference: RFC 3377 (Obsoleted by RFC 4510) == Missing Reference: 'Stringprep' is mentioned on line 253, but not defined ** Obsolete normative reference: RFC 3454 (Obsoleted by RFC 7564) -- No information found for draft-ietf-ldapbis-roadmap-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Roadmap' -- No information found for draft-ietf-ldapbis-syntaxes-xx - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'Syntaxes' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode' -- Possible downref: Non-RFC (?) normative reference: ref. 'UAX15' -- No information found for draft-ietf-ldapbis-filter-xx - is the name correct? -- No information found for draft-zeilenga-ldapbis-strmatch-xx - is the name correct? Summary: 9 errors (**), 0 flaws (~~), 5 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet-Draft Kurt D. Zeilenga 3 Intended Category: Standard Track OpenLDAP Foundation 4 Expires in six months 23 January 2006 6 LDAP: Internationalized String Preparation 7 9 Status of this Memo 11 This document is intended to be published as a Standard Track RFC. 12 Distribution of this memo is unlimited. Technical discussion of this 13 document will take place on the IETF LDAP Revision Working Group 14 mailing list . Please send editorial 15 comments directly to the editor . 17 By submitting this Internet-Draft, each author represents that any 18 applicable patent or other IPR claims of which he or she is aware have 19 been or will be disclosed, and any of which he or she becomes aware 20 will be disclosed, in accordance with Section 6 of BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering Task 23 Force (IETF), its areas, and its working groups. Note that other 24 groups may also distribute working documents as Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference material 29 or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/1id-abstracts.html 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html 37 Copyright (C) The Internet Society (2006). All Rights Reserved. 39 Please see the Full Copyright section near the end of this document 40 for more information. 42 Abstract 44 The previous Lightweight Directory Access Protocol (LDAP) technical 45 specifications did not precisely define how character string matching 46 is to be performed. This led to a number of usability and 47 interoperability problems. This document defines string preparation 48 algorithms for character-based matching rules defined for use in LDAP. 50 Conventions and Terms 52 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 53 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 54 document are to be interpreted as described in BCP 14 [RFC2119]. 56 Character names in this document use the notation for code points and 57 names from the Unicode Standard [Unicode]. For example, the letter 58 "a" may be represented as either or . 59 In the lists of mappings and the prohibited characters, the "U+" is 60 left off to make the lists easier to read. The comments for character 61 ranges are shown in square brackets (such as "[CONTROL CHARACTERS]") 62 and do not come from the standard. 64 Note: a glossary of terms used in Unicode can be found in [Glossary]. 65 Information on the Unicode character encoding model can be found in 66 [CharModel]. 68 The term "combining mark", as used in this specification, refers to 69 any Unicode [Unicode] code point which has a mark property (Mn, Mc, 70 Me). Appendix A provides a definitive list of combining marks. 72 1. Introduction 74 1.1. Background 76 A Lightweight Directory Access Protocol (LDAP) [Roadmap] matching rule 77 [Syntaxes] defines an algorithm for determining whether a presented 78 value matches an attribute value in accordance with the criteria 79 defined for the rule. The proposition may be evaluated to True, 80 False, or Undefined. 82 True - the attribute contains a matching value, 84 False - the attribute contains no matching value, 86 Undefined - it cannot be determined whether the attribute contains 87 a matching value or not. 89 For instance, the caseIgnoreMatch matching rule may be used to compare 90 whether the commonName attribute contains a particular value without 91 regard for case and insignificant spaces. 93 1.2. X.500 String Matching Rules 95 "X.520: Selected attribute types" [X.520] provides (amongst other 96 things) value syntaxes and matching rules for comparing values 97 commonly used in the Directory. These specifications are inadequate 98 for strings composed of Unicode [Unicode] characters. 100 The caseIgnoreMatch matching rule [X.520], for example, is simply 101 defined as being a case insensitive comparison where insignificant 102 spaces are ignored. For printableString, there is only one space 103 character and case mapping is bijective, hence this definition is 104 sufficient. However, for Unicode string types such as 105 universalString, this is not sufficient. For example, a case 106 insensitive matching implementation which folded lower case characters 107 to upper case would yield different different results than an 108 implementation which used upper case to lower case folding. Or one 109 implementation may view space as referring to only SPACE (U+0020), a 110 second implementation may view any character with the space separator 111 (Zs) property as a space, and another implementation may view any 112 character with the whitespace (WS) category as a space. 114 The lack of precise specification for character string matching has 115 led to significant interoperability problems. When used in 116 certificate chain validation, security vulnerabilities can arise. To 117 address these problems, this document defines precise algorithms for 118 preparing character strings for matching. 120 1.3. Relationship to "stringprep" 122 The character string preparation algorithms described in this document 123 are based upon the "stringprep" approach [RFC3454]. In "stringprep", 124 presented and stored values are first prepared for comparison and so 125 that a character-by-character comparison yields the "correct" result. 127 The approach used here is a refinement of the "stringprep" [RFC3454] 128 approach. Each algorithm involves two additional preparation steps. 130 a) prior to applying the Unicode string preparation steps outlined in 131 "stringprep", the string is transcoded to Unicode; 133 b) after applying the Unicode string preparation steps outlined in 134 "stringprep", the string is modified to appropriately handle 135 characters insignificant to the matching rule. 137 Hence, preparation of character strings for X.500 matching involves 138 the following steps: 140 1) Transcode 141 2) Map 142 3) Normalize 143 4) Prohibit 144 5) Check Bidi (Bidirectional) 145 6) Insignificant Character Handling 147 These steps are described in Section 2. 149 It is noted that while various tables of Unicode characters included 150 or referenced by this specification are derived from Unicode [UNICODE] 151 data, these tables are to be considered definitive for the purpose of 152 implementing this specification. 154 1.4. Relationship to the LDAP Technical Specification 156 This document is a integral part of the LDAP technical specification 157 [Roadmap] which obsoletes the previously defined LDAP technical 158 specification [RFC3377] in its entirety. 160 This document details new LDAP internationalized character string 161 preparation algorithms used by [Syntaxes] and possible other technical 162 specifications defining LDAP syntaxes and/or matching rules. 164 1.5. Relationship to X.500 166 LDAP is defined [Roadmap] in X.500 terms as an X.500 access mechanism. 167 As such, there is a strong desire for alignment between LDAP and X.500 168 syntax and semantics. The character string preparation algorithms 169 described in this document are based upon "Internationalized String 170 Matching Rules for X.500" [XMATCH] proposal to ITU/ISO Joint Study 171 Group 2. 173 2. String Preparation 175 The following six-step process SHALL be applied to each presented and 176 attribute value in preparation for character string matching rule 177 evaluation. 179 1) Transcode 180 2) Map 181 3) Normalize 182 4) Prohibit 183 5) Check bidi 184 6) Insignificant Character Handling 186 Failure in any step causes the assertion to evaluate to Undefined. 188 The character repertoire of this process is Unicode 3.2 [Unicode]. 190 Note that this six-step process specification is intended to described 191 expected matching behavior. Implementations are free use alternative 192 processes so long as the matching rule evaluation behavior provided is 193 consistent with the behavior described by this specification. 195 2.1. Transcode 197 Each non-Unicode string value is transcoded to Unicode. 199 PrintableString [X.680] value are transcoded directly to Unicode. 201 UniversalString, UTF8String, and bmpString [X.680] values need not be 202 transcoded as they are Unicode-based strings (in the case of 203 bmpString, a subset of Unicode). 205 TeletexString [X.680] values are transcoded to Unicode. As there is 206 no standard for mapping TeletexString values to Unicode, the mapping 207 is left a local matter. 209 For these and other reasons, use of TeletexString is NOT RECOMMENDED. 211 The output is the transcoded string. 213 2.2. Map 215 SOFT HYPHEN (U+00AD) and MONGOLIAN TODO SOFT HYPHEN (U+1806) code 216 points are mapped to nothing. COMBINING GRAPHEME JOINER (U+034F) and 217 VARIATION SELECTORs (U+180B-180D, FF00-FE0F) code points are also 218 mapped to nothing. The OBJECT REPLACEMENT CHARACTER (U+FFFC) is 219 mapped to nothing. 221 CHARACTER TABULATION (U+0009), LINE FEED (LF) (U+000A), LINE 222 TABULATION (U+000B), FORM FEED (FF) (U+000C), CARRIAGE RETURN (CR) 223 (U+000D), and NEXT LINE (NEL) (U+0085) are mapped to SPACE (U+0020). 225 All other control code (e.g., Cc) points or code points with a control 226 function (e.g., Cf) are mapped to nothing. The following is a 227 complete list of these code points: U+0000-0008, 000E-001F, 007F-0084, 228 0086-009F, 06DD, 070F, 180E, 200C-200F, 202A-202E, 2060-2063, 229 206A-206F, FEFF, FFF9-FFFB, 1D173-1D17A, E0001, E0020-E007F. 231 ZERO WIDTH SPACE (U+200B) is mapped to nothing. All other code points 232 with Separator (space, line, or paragraph) property (e.g, Zs, Zl, or 233 Zp) are mapped to SPACE (U+0020). The following is a complete list of 234 these code points: U+0020, 00A0, 1680, 2000-200A, 2028-2029, 202F, 235 205F, 3000. 237 For case ignore, numeric, and stored prefix string matching rules, 238 characters are case folded per B.2 of [RFC3454]. 240 The output is the mapped string. 242 2.3. Normalize 244 The input string is be normalized to Unicode Form KC (compatibility 245 composed) as described in [UAX15]. The output is the normalized 246 string. 248 2.4. Prohibit 250 All Unassigned code points are prohibited. Unassigned code points are 251 listed in Table A.1 of [RFC3454]. 253 Characters which, per Section 5.8 of [Stringprep], change display 254 properties or are deprecated are prohibited. These characters are are 255 listed in Table C.8 of [RFC3454]. 257 Private Use code points are prohibited. These characters are listed 258 in Table C.3 of [RFC3454]. 260 All non-character code points are prohibited. These code points are 261 listed in Table C.4 of [RFC3454]. 263 Surrogate codes are prohibited. These characters are listed in Table 264 C.5 of [RFC3454]. 266 The REPLACEMENT CHARACTER (U+FFFD) code point is prohibited. 268 The step fails if the input string contains any prohibited code point. 269 Otherwise, the output is the input string. 271 2.5. Check bidi 273 Bidirectional characters are ignored. 275 2.6. Insignificant Character Handling 277 In this step, the string is modified to ensure proper handling of 278 characters insignificant to the matching rule. This modification 279 differs from matching rule to matching rule. 281 Section 2.6.1 applies to case ignore and exact string matching. 282 Section 2.6.2 applies to numericString matching. 283 Section 2.6.3 applies to telephoneNumber matching. 285 2.6.1. Insignificant Space Handling 287 For the purposes of this section, a space is defined to be the SPACE 288 (U+0020) code point followed by no combining marks. 290 NOTE - The previous steps ensure that the string cannot contain any 291 code points in the separator class, other than SPACE (U+0020). 293 If the input string contains at least one non-space character, then 294 the string is modified such that the string starts with exactly one 295 space character, ends with exactly one SPACE character, and that any 296 inner (non-empty) sequence of space characters is replaced with 297 exactly two SPACE characters. For instance, the input strings 298 "foobar", results in the output 299 "foobar". 301 Otherwise, if the string being prepared is an initial, any, or final 302 substring, then the output string is exactly one SPACE character, else 303 the output string is exactly two SPACEs. 305 Appendix B discusses the rationale for the behavior. 307 2.6.2. numericString Insignificant Character Handling 309 For the purposes of this section, a space is defined to be the SPACE 310 (U+0020) code point followed by no combining marks. 312 All spaces are regarded as insignificant and are to be removed. 314 For example, removal of spaces from the Form KC string: 315 "123456" 317 would result in the output string: 318 "123456" 319 and the Form KC string: 320 "" 321 would result in the output string: 322 "" (an empty string). 324 2.6.3. telephoneNumber Insignificant Character Handling 326 For the purposes of this section, a hyphen is defined to be 327 HYPHEN-MINUS (U+002D), ARMENIAN HYPHEN (U+058A), HYPHEN (U+2010), 328 NON-BREAKING HYPHEN (U+2011), MINUS SIGN (U+2212), SMALL HYPHEN-MINUS 329 (U+FE63), or FULLWIDTH HYPHEN-MINUS (U+FF0D) code point followed by no 330 combining marks and a space is defined to be the SPACE (U+0020) code 331 point followed by no combining marks. 333 All hyphens and spaces are considered insignificant and are to be 334 removed. 336 For example, removal of hyphens and spaces from the Form KC string: 337 "123456" 338 would result in the output string: 339 "123456" 340 and the Form KC string: 341 "" 342 would result in the (empty) output string: 343 "". 345 3. Security Considerations 347 "Preparation for International Strings ('stringprep')" [RFC3454] 348 security considerations generally apply to the algorithms described 349 here. 351 4. Acknowledgments 353 The approach used in this document is based upon design principles and 354 algorithms described in "Preparation of Internationalized Strings 355 ('stringprep')" [RFC3454] by Paul Hoffman and Marc Blanchet. Some 356 additional guidance was drawn from Unicode Technical Standards, 357 Technical Reports, and Notes. 359 This document is a product of the IETF LDAP Revision (LDAPBIS) Working 360 Group. 362 5. Author's Address 364 Kurt D. Zeilenga 365 OpenLDAP Foundation 367 Email: Kurt@OpenLDAP.org 369 6. References 371 [[Note to the RFC Editor: please replace the citation tags used in 372 referencing Internet-Drafts with tags of the form RFCnnnn where 373 possible.]] 375 6.1. Normative References 377 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 378 Requirement Levels", BCP 14 (also RFC 2119), March 1997. 380 [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of 381 Internationalized Strings ('stringprep')", RFC 3454, 382 December 2002. 384 [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification 385 Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in 386 progress. 388 [Syntaxes] Legg, S. (editor), "LDAP: Syntaxes and Matching Rules", 389 draft-ietf-ldapbis-syntaxes-xx.txt, a work in progress. 391 [Unicode] The Unicode Consortium, "The Unicode Standard, Version 392 3.2.0" is defined by "The Unicode Standard, Version 3.0" 393 (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), 394 as amended by the "Unicode Standard Annex #27: Unicode 395 3.1" (http://www.unicode.org/reports/tr27/) and by the 396 "Unicode Standard Annex #28: Unicode 3.2" 397 (http://www.unicode.org/reports/tr28/). 399 [UAX15] Davis, M. and M. Duerst, "Unicode Standard Annex #15: 400 Unicode Normalization Forms, Version 3.2.0". 401 , 402 March 2002. 404 [X.680] International Telecommunication Union - 405 Telecommunication Standardization Sector, "Abstract 406 Syntax Notation One (ASN.1) - Specification of Basic 407 Notation", X.680(2002) (also ISO/IEC 8824-1:2002). 409 6.2. Informative References 411 [X.500] International Telecommunication Union - 412 Telecommunication Standardization Sector, "The Directory 413 -- Overview of concepts, models and services," 414 X.500(1993) (also ISO/IEC 9594-1:1994). 416 [X.501] International Telecommunication Union - 417 Telecommunication Standardization Sector, "The Directory 418 -- Models," X.501(1993) (also ISO/IEC 9594-2:1994). 420 [X.520] International Telecommunication Union - 421 Telecommunication Standardization Sector, "The 422 Directory: Selected Attribute Types", X.520(1993) (also 423 ISO/IEC 9594-6:1994). 425 [Glossary] The Unicode Consortium, "Unicode Glossary", 426 . 428 [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report 429 #17, Character Encoding Model", UTR17, 430 , August 431 2000. 433 [Filters] Smith, M. (editor), LDAPbis WG, "LDAP: String 434 Representation of Search Filters", 435 draft-ietf-ldapbis-filter-xx.txt, a work in progress. 437 [XMATCH] Zeilenga, K., "Internationalized String Matching Rules 438 for X.500", draft-zeilenga-ldapbis-strmatch-xx.txt, a 439 work in progress. 441 Appendix A. Combining Marks 443 This appendix is normative. 445 This table was derived from Unicode [Unicode] data 446 files, it lists all code points with the Mn, Mc, or Me 447 properties. This table is to be considered definitive 448 for the purposes of implementation of this 449 specification. 451 0300-034F 0360-036F 0483-0486 0488-0489 0591-05A1 452 05A3-05B9 05BB-05BC 05BF 05C1-05C2 05C4 064B-0655 0670 453 06D6-06DC 06DE-06E4 06E7-06E8 06EA-06ED 0711 0730-074A 454 07A6-07B0 0901-0903 093C 093E-094F 0951-0954 0962-0963 455 0981-0983 09BC 09BE-09C4 09C7-09C8 09CB-09CD 09D7 456 09E2-09E3 0A02 0A3C 0A3E-0A42 0A47-0A48 0A4B-0A4D 457 0A70-0A71 0A81-0A83 0ABC 0ABE-0AC5 0AC7-0AC9 0ACB-0ACD 458 0B01-0B03 0B3C 0B3E-0B43 0B47-0B48 0B4B-0B4D 0B56-0B57 459 0B82 0BBE-0BC2 0BC6-0BC8 0BCA-0BCD 0BD7 0C01-0C03 460 0C3E-0C44 0C46-0C48 0C4A-0C4D 0C55-0C56 0C82-0C83 461 0CBE-0CC4 0CC6-0CC8 0CCA-0CCD 0CD5-0CD6 0D02-0D03 462 0D3E-0D43 0D46-0D48 0D4A-0D4D 0D57 0D82-0D83 0DCA 463 0DCF-0DD4 0DD6 0DD8-0DDF 0DF2-0DF3 0E31 0E34-0E3A 464 0E47-0E4E 0EB1 0EB4-0EB9 0EBB-0EBC 0EC8-0ECD 0F18-0F19 465 0F35 0F37 0F39 0F3E-0F3F 0F71-0F84 0F86-0F87 0F90-0F97 466 0F99-0FBC 0FC6 102C-1032 1036-1039 1056-1059 1712-1714 467 1732-1734 1752-1753 1772-1773 17B4-17D3 180B-180D 18A9 468 20D0-20EA 302A-302F 3099-309A FB1E FE00-FE0F FE20-FE23 469 1D165-1D169 1D16D-1D172 1D17B-1D182 1D185-1D18B 470 1D1AA-1D1AD 472 Appendix B. Substrings Matching 474 This appendix is non-normative. 476 In absence of substrings matching, the insignificant 477 space handling for case ignore/exact matching could be 478 simplified. Specifically, the handling could be as 479 require all sequences of one or more spaces be replaced 480 with one space and, if string contains non-space 481 characters, removal of all all leading spaces and 482 trailing spaces. 484 In the presence of substrings matching, this simplified 485 space handling would lead to unexpected and undesirable 486 matching behavior. For instance: 487 1) (CN=foo\20*\20bar) would match the CN value "foobar" but not 488 "foobar" nor "foobar"; 489 2) (CN=*\20foobar\20*) would match "foobar", but (CN=*\20*foobar*\20*) 490 would not; 491 3) (CN=foo\20*\20bar) would match "fooXbar" but not 492 "foobar". 494 Note to readers not familiar with LDAP substrings matching: the LDAP 495 filter [Filters] assertion (CN=A*B*C) says "match any value (of the 496 attribute CN) which begins with A, contains B after A, ends with C 497 where C is also after B." 499 The first case illustrates that this simplified space handling would 500 cause leading and trailing spaces in substrings of the string to be 501 regarded as insignificant. However, only leading and trailing (as 502 well as multiple consecutive spaces) of the string (as a whole) are 503 insignificant. 505 The second case illustrates that this simplified space handling would 506 cause sub-partitioning failures. That is, if a prepared any substring 507 matches a partition of the attribute value, then an assertion 508 constructed by subdividing that substring into multiple substrings 509 should also match. 511 The third case illustrates that this simplified space handling causes 512 another partitioning failure. Though both the initial or final 513 strings match different portions of "fooXbar" with 514 neither matching the X portion, they don't match a string consisting 515 of the two matched portions less the unmatched X portion. 517 In designing an appropriate approach for space handling for substrings 518 matching, one must study key aspects of X.500 case exact/ignore 519 matching. X.520 [X.520] says: 520 The [substrings] rule returns TRUE if there is a partitioning of 521 the attribute value (into portions) such that: 522 - the specified substrings (initial, any, final) match different 523 portions of the value in the order of the strings sequence; 524 - initial, if present, matches the first portion of the value; 525 - final, if present, matches the last portion of the value; 526 - any, if present, matches some arbitrary portion of the value. 528 That is, the substrings assertion (CN=foo\20*\20bar) matches the 529 attribute value "foobar" as the value can be partitioned 530 into the portions "foo" and "bar" meeting the above 531 requirements. 533 X.520 also says: 534 [T]he following spaces are regarded as not significant: 535 - leading spaces (i.e. those preceding the first character that is 536 not a space); 537 - trailing spaces (i.e. those following the last character that is 538 not a space); 539 - multiple consecutive spaces (these are taken as equivalent to a 540 single space character). 542 This statement applies to the assertion values and attribute values 543 as whole strings, and not individually to substrings of an assertion 544 value. In particular, the statements should be taken to mean that 545 if an assertion value and attribute value match without any 546 consideration to insignificant characters, then that assertion value 547 should also match any attribute value which differs only by inclusion 548 or removal of insignificant characters. 550 Hence, the assertion (CN=foo\20*\20bar) matches 551 "foobar" and "foobar" as these values 552 only differ from "foobar" by the inclusion or removal 553 of insignificant spaces. 555 Astute readers of this text will also note that there are special 556 cases where the specified space handling does not ignore spaces 557 which could be considered insignificant. For instance, the assertion 558 (CN=\20*\20*\20) does not match "" 559 (insignificant spaces present in value) nor " " (insignificant 560 spaces not present in value). However, as these cases have no 561 practical application that cannot be met by simple assertions, e.g. 562 (cn=\20), and this minor anomaly can only be fully addressed by a 563 preparation algorithm to be used in conjunction with 564 character-by-character partitioning and matching, the anomaly is 565 considered acceptable. 567 Intellectual Property Rights 569 The IETF takes no position regarding the validity or scope of any 570 Intellectual Property Rights or other rights that might be claimed 571 to pertain to the implementation or use of the technology described 572 in this document or the extent to which any license under such 573 rights might or might not be available; nor does it represent that 574 it has made any independent effort to identify any such rights. 575 Information on the procedures with respect to rights in RFC documents 576 can be found in BCP 78 and BCP 79. 578 Copies of IPR disclosures made to the IETF Secretariat and any 579 assurances of licenses to be made available, or the result of an 580 attempt made to obtain a general license or permission for the use 581 of such proprietary rights by implementers or users of this 582 specification can be obtained from the IETF on-line IPR repository 583 at http://www.ietf.org/ipr. 585 The IETF invites any interested party to bring to its attention any 586 copyrights, patents or patent applications, or other proprietary 587 rights that may cover technology that may be required to implement 588 this standard. Please address the information to the IETF at 589 ietf-ipr@ietf.org. 591 Full Copyright 593 Copyright (C) The Internet Society (2006). 595 This document is subject to the rights, licenses and restrictions 596 contained in BCP 78, and except as set forth therein, the authors 597 retain all their rights. 599 This document and the information contained herein are provided on an 600 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 601 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE 602 INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR 603 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 604 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 605 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.