idnits 2.17.1 draft-ietf-sasl-saslprep-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 24. -- Found old boilerplate from RFC 3978, Section 5.5 on line 290. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 263. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 270. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 276. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 282), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 40. ** The document claims conformance with section 10 of RFC 2026, but uses some RFC 3978/3979 boilerplate. As RFC 3978/3979 replaces section 10 of RFC 2026, you should not claim conformance with it if you have changed to using RFC 3978/3979 boilerplate. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** The document seems to lack an RFC 3978 Section 5.4 Reference to BCP 78 -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (28 April 2004) is 7296 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'Section 6' is mentioned on line 138, but not defined == Unused Reference: 'CRAM-MD5' is defined on line 237, but no explicit reference was found in the text == Unused Reference: 'DIGEST-MD5' is defined on line 240, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3454 (ref. 'StringPrep') (Obsoleted by RFC 7564) -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode' -- No information found for draft-ietf-sasl-rfc2222bis-xx - is the name correct? -- No information found for draft-ietf-sasl-crammd5-xx - is the name correct? -- No information found for draft-ietf-sasl-rfc2831bis-xx - is the name correct? -- No information found for draft-ietf-sasl-plain-xx - is the name correct? Summary: 9 errors (**), 0 flaws (~~), 4 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT Kurt D. Zeilenga 3 Intended Category: Standards Track OpenLDAP Foundation 4 Expires: October 2004 28 April 2004 6 SASLprep: Stringprep profile for user names and passwords 7 9 Status of Memo 11 This document is an Internet-Draft and is in full conformance with all 12 provisions of Section 10 of RFC 2026. 14 This document is intended to be, after appropriate review and 15 revision, submitted to the RFC Editor as a Standards Track document. 16 Distribution of this memo is unlimited. Technical discussion of this 17 document will take place on the IETF SASL mailing list 18 . Please send editorial comments directly to the 19 document editor . 21 By submitting this Internet-Draft, I certify that any applicable 22 patent or other IPR claims of which I am aware have been disclosed, 23 and any of which I become aware will be disclosed, in accordance with 24 RFC 3668. 26 Internet-Drafts are working documents of the Internet Engineering Task 27 Force (IETF), its areas, and its working groups. Note that other 28 groups may also distribute working documents as Internet-Drafts. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference material 33 or to cite them other than as "work in progress." 35 The list of current Internet-Drafts can be accessed at 36 http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet- 37 Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html. 40 Copyright (C) The Internet Society (2004). All Rights Reserved. 42 Please see the Full Copyright section near the end of this document 43 for more information. 45 Abstract 46 This document describes how to prepare Unicode strings representing 47 user names and passwords for comparison. The document defines the 48 "SASLprep" profile of the "stringprep" algorithm to be used for both 49 user names and passwords. This profile is intended to be used by 50 Simple Authentication and Security Layer (SASL) mechanisms (such as 51 PLAIN, CRAM-MD5, and DIGEST-MD5) as well as other protocols exchanging 52 simple user names and/or passwords. 54 1. Introduction 56 The use of simple user names and passwords in authentication and 57 authorization is pervasive on the Internet. To increase the 58 likelihood that user name and password input and comparison work in 59 ways that make sense for typical users throughout the world, this 60 document defines rules for preparing internationalized user names and 61 passwords for comparison. For simplicity and implementation ease, a 62 single algorithm is defined for both user names and passwords. 64 The algorithm assumes all strings are comprised of characters from the 65 Unicode character set. 67 This document defines the "SASLprep" profile of the "stringprep" 68 algorithm [StringPrep]. 70 The profile is designed for use in Simple Authentication and Security 71 Layer ([SASL]) mechanisms such as [PLAIN]. It may be applicable 72 elsewhere simple user names and passwords are used. This profile is 73 not intended to be used to prepare identity strings which are not 74 simple user names (e.g., e-mail addresses, domain names, distinguished 75 names), or where identity or password strings which are not character 76 data, or require different handling (e.g., case folding). 78 This document by itself does not alter the technical specification any 79 existing protocols. Any specification that wishes to use the 80 algorithm described in this document needs to explicitly incorporate 81 this document and provide precise details as to where and how this 82 algorithm is used by implementations of that specification. 84 2. The SASLprep profile 86 This section defines the "SASLprep" profile of the "stringprep" 87 algorithm [StringPrep]. This profile is intended to be used to 88 prepare strings representing simple user names and passwords. 90 This profile uses Unicode 3.2 [Unicode]. 92 Character names in this document use the notation for code points and 93 names from the Unicode Standard [Unicode]. For example, the letter 94 "a" may be represented as either or . 95 In the lists of mappings and the prohibited characters, the "U+" is 96 left off to make the lists easier to read. The comments for character 97 ranges are shown in square brackets (such as "[CONTROL CHARACTERS]") 98 and do not come from the standard. 100 Note: a glossary of terms used in Unicode can be found in [Glossary]. 101 Information on the Unicode character encoding model can be found in 102 [CharModel]. 104 2.1. Mapping 106 This profile specifies: 107 - non-ASCII space characters [StringPrep, C.1.2] be mapped to SPACE 108 (U+0020), and 110 - the "commonly mapped to nothing" characters [StringPrep, B.1] be 111 mapped to nothing. 113 2.2. Normalization 115 This profile specifies using Unicode normalization form KC, as 116 described in Section 4 of [StringPrep]. 118 2.3. Prohibited Output 120 This profile specifies the following characters: 122 - Non-ASCII space characters [StringPrep, C.1.2], 123 - ASCII control characters [StringPrep, C.2.1], 124 - Non-ASCII control characters [StringPrep, C.2.2], 125 - Private Use [StringPrep, C.3], 126 - Non-character code points [StringPrep, C.4], 127 - Surrogate code points [StringPrep, C.5], 128 - Inappropriate for plain text [StringPrep, C.6], 129 - Inappropriate for canonical representation [StringPrep, C.7], 130 - Change display properties or are deprecated [StringPrep, C.8], and 131 - Tagging characters [StringPrep, C.9]. 133 are prohibited output. 135 2.4. Bidirectional characters 137 This profile specifies checking bidirectional strings as described in 138 [StringPrep, Section 6]. 140 2.5. Unassigned Code Points 142 This profile specifies [StringPrep, A.1] table as its list of 143 unassigned code points. 145 3. Examples 147 The following table provides examples of how various character data is 148 transformed by SASLprep string preparation algorithm 150 # Input Output Comments 151 - ----- ------ -------- 152 1 IX IX SOFT HYPHEN mapped to nothing 153 2 user user no transformation 154 3 USER USER case preserved, will not match #3 155 4 a output is NFKC, input in ISO 8859-1 156 5 IX output is NFKC, will match #1 157 6 Error - prohibited character 158 7 Error - bidirectional check 160 4. Security Considerations 162 This profile is intended to used to prepare simple user names and 163 passwords strings for comparison or use in cryptographic functions 164 (e.g., message digests). The preparation algorithm is specifically 165 designed such that its output is canonical. 167 It is not intended to be used for to prepare identity strings which 168 are not simple user names (e.g., distinguished names and domain 169 names). Nor is the profile intended to be used for simple user names 170 which require different handling (such as case folding). Protocols 171 (or applications of those protocols) which have application-specific 172 identity forms and/or comparison algorithms should use mechanisms 173 specifically designed for these forms and algorithms. 175 Application of string preparation may have an impact upon the 176 feasibility of brute force and dictionary attacks. While the number 177 of possible prepared strings is less than the number of possible 178 Unicode strings, the number of usable names and passwords is greater 179 than if only ASCII was used. Though SASLprep eliminates some of 180 Unicode code point sequences as possible prepared strings, that 181 elimination generally makes the (canonical) output forms practicable 182 and prohibits nonsensical inputs. 184 User names and passwords should be protected from eavesdropping. 186 General "stringprep" and Unicode security considerations apply. Both 187 are discussed in [StringPrep]. 189 5. IANA Considerations 191 This document details the "SASLprep" profile of [StringPrep] protocol. 192 Upon Standards Action the profile should be registered in the 193 stringprep profile registry. 195 Name of this profile: SASLprep 196 RFC in which the profile is defined: This RFC 197 Indicator whether or not this is the newest version of the 198 profile: This is the first version of the SASPprep profile. 200 6. Acknowledgment 202 This document borrows text from "Preparation of Internationalized 203 Strings ('stringprep')" and "Nameprep: A Stringprep Profile for 204 Internationalized Domain Names", both by Paul Hoffman and Marc 205 Blanchet. 207 This document is a product of the IETF SASL WG. 209 7. Normative References 211 [StringPrep] Hoffman, P. and M. Blanchet, "Preparation of 212 Internationalized Strings ('stringprep')", RFC 3454, 213 December 2002. 215 [Unicode] The Unicode Consortium, "The Unicode Standard, Version 216 3.2.0" is defined by "The Unicode Standard, Version 3.0" 217 (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), 218 as amended by the "Unicode Standard Annex #27: Unicode 219 3.1" (http://www.unicode.org/reports/tr27/) and by the 220 "Unicode Standard Annex #28: Unicode 3.2" 221 (http://www.unicode.org/reports/tr28/). 223 8. Informative References 225 [Glossary] The Unicode Consortium, "Unicode Glossary", 226 . 228 [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report 229 #17, Character Encoding Model", UTR17, 230 , August 231 2000. 233 [SASL] Melnikov, A. (Editor), "Simple Authentication and 234 Security Layer (SASL)", 235 draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress. 237 [CRAM-MD5] Nerenberg, L., "The CRAM-MD5 SASL Mechanism", 238 draft-ietf-sasl-crammd5-xx.txt, a work in progress. 240 [DIGEST-MD5] Leach, P., C. Newman, and A. Melnikov, "Using Digest 241 Authentication as a SASL Mechanism", 242 draft-ietf-sasl-rfc2831bis-xx.txt, a work in progress. 244 [PLAIN] Zeilenga, K. (Editor), "The Plain SASL Mechanism", 245 draft-ietf-sasl-plain-xx.txt, a work in progress. 247 9. Author's Address 249 Kurt D. Zeilenga 250 OpenLDAP Foundation 252 Email: Kurt@OpenLDAP.org 254 Intellectual Property Rights 256 The IETF takes no position regarding the validity or scope of any 257 Intellectual Property Rights or other rights that might be claimed to 258 pertain to the implementation or use of the technology described in 259 this document or the extent to which any license under such rights 260 might or might not be available; nor does it represent that it has 261 made any independent effort to identify any such rights. Information 262 on the procedures with respect to rights in RFC documents can be found 263 in BCP 78 and BCP 79. 265 Copies of IPR disclosures made to the IETF Secretariat and any 266 assurances of licenses to be made available, or the result of an 267 attempt made to obtain a general license or permission for the use of 268 such proprietary rights by implementers or users of this specification 269 can be obtained from the IETF on-line IPR repository at 270 http://www.ietf.org/ipr. 272 The IETF invites any interested party to bring to its attention any 273 copyrights, patents or patent applications, or other proprietary 274 rights that may cover technology that may be required to implement 275 this standard. Please address the information to the IETF at ietf- 276 ipr@ietf.org. 278 Full Copyright 280 Copyright (C) The Internet Society (2004). This document is subject 281 to the rights, licenses and restrictions contained in BCP 78 and 282 except as set forth therein, the authors retain all their rights. 284 This document and the information contained herein are provided on an 285 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 286 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 287 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 288 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 289 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 290 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.