draft-ietf-precis-framework-10.txt   draft-ietf-precis-framework-11.txt 
PRECIS P. Saint-Andre PRECIS P. Saint-Andre
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Obsoletes: 3454 (if approved) M. Blanchet Obsoletes: 3454 (if approved) M. Blanchet
Intended status: Standards Track Viagenie Intended status: Standards Track Viagenie
Expires: April 18, 2014 October 15, 2013 Expires: April 21, 2014 October 18, 2013
PRECIS Framework: Preparation and Comparison of Internationalized PRECIS Framework: Preparation and Comparison of Internationalized
Strings in Application Protocols Strings in Application Protocols
draft-ietf-precis-framework-10 draft-ietf-precis-framework-11
Abstract Abstract
Application protocols using Unicode code points in protocol strings Application protocols using Unicode code points in protocol strings
need to properly prepare such strings in order to perform valid need to properly prepare such strings in order to perform valid
comparison operations (e.g., for purposes of authentication or comparison operations (e.g., for purposes of authentication or
authorization). This document defines a framework enabling authorization). This document defines a framework enabling
application protocols to perform the preparation and comparison of application protocols to perform the preparation and comparison of
internationalized strings (a.k.a. "PRECIS") in a way that depends on internationalized strings (a.k.a. "PRECIS") in a way that depends on
the properties of Unicode code points and thus is agile with respect the properties of Unicode code points and thus is agile with respect
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2014. This Internet-Draft will expire on April 21, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
4.1. Principles . . . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Principles . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2. Building Application-Layer Constructs . . . . . . . . . . 12 4.2. Building Application-Layer Constructs . . . . . . . . . . 12
4.3. A Note about Spaces . . . . . . . . . . . . . . . . . . . 12 4.3. A Note about Spaces . . . . . . . . . . . . . . . . . . . 12
5. Order of Operations . . . . . . . . . . . . . . . . . . . . . 13 5. Order of Operations . . . . . . . . . . . . . . . . . . . . . 13
6. Code Point Properties . . . . . . . . . . . . . . . . . . . . 13 6. Code Point Properties . . . . . . . . . . . . . . . . . . . . 13
7. Category Definitions Used to Calculate Derived Property . . . 15 7. Category Definitions Used to Calculate Derived Property . . . 15
7.1. LetterDigits (A) . . . . . . . . . . . . . . . . . . . . . 16 7.1. LetterDigits (A) . . . . . . . . . . . . . . . . . . . . . 16
7.2. Unstable (B) . . . . . . . . . . . . . . . . . . . . . . . 16 7.2. Unstable (B) . . . . . . . . . . . . . . . . . . . . . . . 16
7.3. IgnorableProperties (C) . . . . . . . . . . . . . . . . . 16 7.3. IgnorableProperties (C) . . . . . . . . . . . . . . . . . 16
7.4. IgnorableBlocks (D) . . . . . . . . . . . . . . . . . . . 16 7.4. IgnorableBlocks (D) . . . . . . . . . . . . . . . . . . . 16
7.5. LDH (E) . . . . . . . . . . . . . . . . . . . . . . . . . 17 7.5. LDH (E) . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.6. Exceptions (F) . . . . . . . . . . . . . . . . . . . . . . 17 7.6. Exceptions (F) . . . . . . . . . . . . . . . . . . . . . . 17
7.7. BackwardCompatible (G) . . . . . . . . . . . . . . . . . . 18 7.7. BackwardCompatible (G) . . . . . . . . . . . . . . . . . . 18
7.8. JoinControl (H) . . . . . . . . . . . . . . . . . . . . . 19 7.8. JoinControl (H) . . . . . . . . . . . . . . . . . . . . . 18
7.9. OldHangulJamo (I) . . . . . . . . . . . . . . . . . . . . 19 7.9. OldHangulJamo (I) . . . . . . . . . . . . . . . . . . . . 19
7.10. Unassigned (J) . . . . . . . . . . . . . . . . . . . . . . 19 7.10. Unassigned (J) . . . . . . . . . . . . . . . . . . . . . . 19
7.11. ASCII7 (K) . . . . . . . . . . . . . . . . . . . . . . . . 19 7.11. ASCII7 (K) . . . . . . . . . . . . . . . . . . . . . . . . 19
7.12. Controls (L) . . . . . . . . . . . . . . . . . . . . . . . 20 7.12. Controls (L) . . . . . . . . . . . . . . . . . . . . . . . 20
7.13. PrecisIgnorableProperties (M) . . . . . . . . . . . . . . 20 7.13. PrecisIgnorableProperties (M) . . . . . . . . . . . . . . 20
7.14. Spaces (N) . . . . . . . . . . . . . . . . . . . . . . . . 20 7.14. Spaces (N) . . . . . . . . . . . . . . . . . . . . . . . . 20
7.15. Symbols (O) . . . . . . . . . . . . . . . . . . . . . . . 20 7.15. Symbols (O) . . . . . . . . . . . . . . . . . . . . . . . 20
7.16. Punctuation (P) . . . . . . . . . . . . . . . . . . . . . 20 7.16. Punctuation (P) . . . . . . . . . . . . . . . . . . . . . 20
7.17. HasCompat (Q) . . . . . . . . . . . . . . . . . . . . . . 21 7.17. HasCompat (Q) . . . . . . . . . . . . . . . . . . . . . . 21
7.18. OtherLetterDigits (R) . . . . . . . . . . . . . . . . . . 21 7.18. OtherLetterDigits (R) . . . . . . . . . . . . . . . . . . 21
skipping to change at page 8, line 15 skipping to change at page 8, line 15
Although the PRECIS IdentifierClass re-uses the LetterDigits category Although the PRECIS IdentifierClass re-uses the LetterDigits category
from IDNA2008, the range of characters allowed in the IdentifierClass from IDNA2008, the range of characters allowed in the IdentifierClass
is wider than the range of characters allowed in IDNA2008. The main is wider than the range of characters allowed in IDNA2008. The main
reason is that IDNA2008 applies the Unstable category before the reason is that IDNA2008 applies the Unstable category before the
LetterDigits category, thus disallowing uppercase characters, whereas LetterDigits category, thus disallowing uppercase characters, whereas
the IdentifierClass does not apply the Unstable category. the IdentifierClass does not apply the Unstable category.
3.2.2. Contextual Rule Required 3.2.2. Contextual Rule Required
o Certain characters from the Exceptions ("F") category defined o A number of characters from the Exceptions ("F") category defined
under Section 7.5. under Section 7.6 (see Section 7.6 for a full list).
o Joining characters, i.e., the JoinControl ("H") category defined o Joining characters, i.e., the JoinControl ("H") category defined
under Section 7.8. under Section 7.8.
3.2.3. Disallowed 3.2.3. Disallowed
o Control characters, i.e., the Controls ("L") category defined o Control characters, i.e., the Controls ("L") category defined
under Section 7.12. under Section 7.12.
o Ignorable characters, i.e., the PrecisIgnorableProperties ("M") o Ignorable characters, i.e., the PrecisIgnorableProperties ("M")
category defined under Section 7.13. category defined under Section 7.13.
o Space characters, i.e., the Spaces ("N") category defined under o Space characters, i.e., the Spaces ("N") category defined under
skipping to change at page 9, line 34 skipping to change at page 9, line 34
HasCompat ("Q") category defined under Section 7.17. HasCompat ("Q") category defined under Section 7.17.
o Space characters, i.e., the Spaces ("N") category defined under o Space characters, i.e., the Spaces ("N") category defined under
Section 7.14. Section 7.14.
o Symbol characters, i.e., the Symbols ("O") category defined under o Symbol characters, i.e., the Symbols ("O") category defined under
Section 7.15. Section 7.15.
o Punctuation characters, i.e., the Punctuation ("P") category o Punctuation characters, i.e., the Punctuation ("P") category
defined under Section 7.16. defined under Section 7.16.
3.3.2. Contextual Rule Required 3.3.2. Contextual Rule Required
o Certain characters from the Exceptions ("F") category defined o A number of characters from the Exceptions ("F") category defined
under Section 7.5. under Section 7.6 (see Section 7.6 for a full list).
o Joining characters, i.e., the JoinControl ("H") category defined o Joining characters, i.e., the JoinControl ("H") category defined
under Section 7.8. under Section 7.8.
3.3.3. Disallowed 3.3.3. Disallowed
o Control characters, i.e., the Controls ("L") category defined o Control characters, i.e., the Controls ("L") category defined
under Section 7.12. under Section 7.12.
o Ignorable characters, i.e., the PrecisIgnorableProperties ("M") o Ignorable characters, i.e., the PrecisIgnorableProperties ("M")
category defined under Section 7.13. category defined under Section 7.13.
skipping to change at page 11, line 17 skipping to change at page 11, line 17
4.1.3. Case Mapping 4.1.3. Case Mapping
The case mapping rule of a profile specifies whether case mapping is The case mapping rule of a profile specifies whether case mapping is
performed (instead of case preservation) on uppercase and titlecase performed (instead of case preservation) on uppercase and titlecase
characters, and how the mapping is done (e.g., mapping uppercase and characters, and how the mapping is done (e.g., mapping uppercase and
titlecase characters to their lowercase equivalents). titlecase characters to their lowercase equivalents).
Use of the Unicode Default Case Folding algorithm is RECOMMENDED. Use of the Unicode Default Case Folding algorithm is RECOMMENDED.
In general, the combination of case preservation and case-insensitive
comparison of internationalized strings is NOT RECOMMENDED; instead,
application protocols SHOULD either (a) not preserve case but perform
case-insensitive comparison or (b) preserve case but perform case-
sensitive comparison.
In order to maximize entropy and minimize the potential for false In order to maximize entropy and minimize the potential for false
positives, it is NOT RECOMMENDED for application protocols to map positives, it is NOT RECOMMENDED for application protocols to map
uppercase and titlecase code points to their lowercase equivalents uppercase and titlecase code points to their lowercase equivalents
when strings conforming to the FreeformClass, or a profile thereof, when strings conforming to the FreeformClass, or a profile thereof,
are used in passwords; instead, it is RECOMMENDED to preserve the are used in passwords; instead, it is RECOMMENDED to preserve the
case of all code points contained in such strings and then perform case of all code points contained in such strings and then perform
case-sensitive comparison. See also the related discussion in case-sensitive comparison. See also the related discussion in
[I-D.ietf-precis-saslprepbis]. [I-D.ietf-precis-saslprepbis].
4.1.4. Normalization 4.1.4. Normalization
skipping to change at page 23, line 37 skipping to change at page 23, line 37
IANA is requested to create a registry of profiles that use the IANA is requested to create a registry of profiles that use the
PRECIS string classes. In accordance with [RFC5226], the PRECIS string classes. In accordance with [RFC5226], the
registration policy is "Expert Review". This policy was chosen in registration policy is "Expert Review". This policy was chosen in
order to ensure that "customers" of PRECIS receive appropriate order to ensure that "customers" of PRECIS receive appropriate
guidance regarding the sometimes complex and subtle guidance regarding the sometimes complex and subtle
internationalization issues related to profiles of PRECIS string internationalization issues related to profiles of PRECIS string
classes. classes.
The registration template is as follows: The registration template is as follows:
Profile: [the name of the profile] Name: [the name of the profile]
Applicability: [the specific protocol elements to which this profile Applicability: [the specific protocol elements to which this profile
applies, e.g., "Localparts in XMPP addresses."] applies, e.g., "Localparts in XMPP addresses."]
Base Class: [which PRECIS string class is being profiled] Base Class: [which PRECIS string class is being profiled]
Replaces: [the Stringprep profile that this PRECIS profile replaces, Replaces: [the Stringprep profile that this PRECIS profile replaces,
if any] if any]
Width Mapping: [the behavioral rule for handling of width, e.g., Width Mapping: [the behavioral rule for handling of width, e.g.,
"Map fullwidth and halfwidth characters to their decomposition "Map fullwidth and halfwidth characters to their decomposition
equivalents."] equivalents."]
Additional Mappings: [any additional mappings are required or Additional Mappings: [any additional mappings are required or
recommended, e.g., "Map non-ASCII space characters to ASCII recommended, e.g., "Map non-ASCII space characters to ASCII
skipping to change at page 25, line 22 skipping to change at page 25, line 22
authentication and authorization decisions, and the security of an authentication and authorization decisions, and the security of an
application could be compromised if an entity providing a given application could be compromised if an entity providing a given
string is connected to the wrong account or online resource based on string is connected to the wrong account or online resource based on
different interpretations of the string. different interpretations of the string.
Specifications of application protocols that use this framework are Specifications of application protocols that use this framework are
encouraged to describe how internationalized strings are used in the encouraged to describe how internationalized strings are used in the
protocol, including the security implications of any false positives protocol, including the security implications of any false positives
and false negatives that might result from various comparison and false negatives that might result from various comparison
operations. For some helpful guidelines, refer to [RFC6943], operations. For some helpful guidelines, refer to [RFC6943],
[RFC5890], [UTR36], and [UTR39]. [RFC5890], [UTR36], and [UTS39].
10.2. Use of the IdentifierClass 10.2. Use of the IdentifierClass
Strings that conform to the IdentifierClass and any profile thereof Strings that conform to the IdentifierClass and any profile thereof
are intended to be relatively safe for use in a broad range of are intended to be relatively safe for use in a broad range of
applications, primarily because they include only letters, digits, applications, primarily because they include only letters, digits,
and "grandfathered" non-space characters from the ASCII range; thus and "grandfathered" non-space characters from the ASCII range; thus
they exclude spaces, characters with compatibility equivalents, and they exclude spaces, characters with compatibility equivalents, and
almost all symbols and punctuation marks. However, because such almost all symbols and punctuation marks. However, because such
strings can still include so-called confusable characters (see strings can still include so-called confusable characters (see
skipping to change at page 27, line 7 skipping to change at page 27, line 7
characters might be the fake string.) Because PRECIS-compliant characters might be the fake string.) Because PRECIS-compliant
strings can contain almost any properly-encoded Unicode code point, strings can contain almost any properly-encoded Unicode code point,
it can be relatively easy to fake or mimic some strings in systems it can be relatively easy to fake or mimic some strings in systems
that use the PRECIS framework. The fact that some strings are easily that use the PRECIS framework. The fact that some strings are easily
confused introduces security vulnerabilities of the kind that have confused introduces security vulnerabilities of the kind that have
also plagued the World Wide Web, specifically the phenomenon known as also plagued the World Wide Web, specifically the phenomenon known as
phishing. phishing.
Despite the fact that some specific suggestions about identification Despite the fact that some specific suggestions about identification
and handling of confusable characters appear in the Unicode Security and handling of confusable characters appear in the Unicode Security
Considerations [UTR36], it is also true (as noted in [RFC5890]) that Considerations [UTR36] and the Unicode Security Mechanisms [UTS39],
"there are no comprehensive technical solutions to the problems of it is also true (as noted in [RFC5890]) that "there are no
confusable characters". Because it is impossible to map visually comprehensive technical solutions to the problems of confusable
similar characters without a great deal of context (such as knowing characters". Because it is impossible to map visually similar
the font families used), the PRECIS framework does nothing to map characters without a great deal of context (such as knowing the font
similar-looking characters together, nor does it prohibit some families used), the PRECIS framework does nothing to map similar-
characters because they look like others. looking characters together, nor does it prohibit some characters
because they look like others.
Nevertheless, specifications for application protocols that use this Nevertheless, specifications for application protocols that use this
framework MUST describe how confusable characters can be used to framework MUST describe how confusable characters can be used to
compromise the security of systems that use the protocol in question, compromise the security of systems that use the protocol in question,
along with any protocol-specific suggestions for overcoming those along with any protocol-specific suggestions for overcoming those
threats. In particular, software implementations and service threats. In particular, software implementations and service
deployments that use PRECIS-based technologies are strongly deployments that use PRECIS-based technologies are strongly
encouraged to define and implement consistent policies regarding the encouraged to define and implement consistent policies regarding the
registration, storage, and presentation of visually similar registration, storage, and presentation of visually similar
characters. The following recommendations are appropriate: characters. The following recommendations are appropriate:
skipping to change at page 29, line 23 skipping to change at page 29, line 25
of Unicode as of the time of this writing (6.2), treats the character of Unicode as of the time of this writing (6.2), treats the character
U+19DA NEW TAI LUE THAM as DISALLOWED. Implementers need to be aware U+19DA NEW TAI LUE THAM as DISALLOWED. Implementers need to be aware
that this treatment is different from IDNA2008 (originally defined in that this treatment is different from IDNA2008 (originally defined in
terms of Unicode 5.2), which treats U+19DA as PVALID. terms of Unicode 5.2), which treats U+19DA as PVALID.
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.ietf-precis-mappings] [I-D.ietf-precis-mappings]
Yoneya, Y. and T. NEMOTO, "Mapping characters for precis Yoneya, Y. and T. NEMOTO, "Mapping characters for PRECIS
classes", draft-ietf-precis-mappings-03 (work in classes", draft-ietf-precis-mappings-04 (work in
progress), August 2013. progress), October 2013.
[RFC20] Cerf, V., "ASCII format for network interchange", RFC 20, [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20,
October 1969. October 1969.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, March 2008. Interchange", RFC 5198, March 2008.
skipping to change at page 29, line 49 skipping to change at page 29, line 51
12.2. Informative References 12.2. Informative References
[I-D.ietf-precis-nickname] [I-D.ietf-precis-nickname]
Saint-Andre, P., "Preparation and Comparison of Saint-Andre, P., "Preparation and Comparison of
Nicknames", draft-ietf-precis-nickname-06 (work in Nicknames", draft-ietf-precis-nickname-06 (work in
progress), July 2013. progress), July 2013.
[I-D.ietf-precis-saslprepbis] [I-D.ietf-precis-saslprepbis]
Saint-Andre, P. and A. Melnikov, "Username and Password Saint-Andre, P. and A. Melnikov, "Username and Password
Preparation Algorithms", draft-ietf-precis-saslprepbis-02 Preparation Algorithms", draft-ietf-precis-saslprepbis-04
(work in progress), April 2013. (work in progress), August 2013.
[I-D.ietf-xmpp-6122bis] [I-D.ietf-xmpp-6122bis]
Saint-Andre, P., "Extensible Messaging and Presence Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Address Format", Protocol (XMPP): Address Format",
draft-ietf-xmpp-6122bis-07 (work in progress), April 2013. draft-ietf-xmpp-6122bis-07 (work in progress), April 2013.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
skipping to change at page 31, line 51 skipping to change at page 32, line 5
<http://unicode.org/reports/tr11/>. <http://unicode.org/reports/tr11/>.
[UAX15] The Unicode Consortium, "Unicode Standard Annex #15: [UAX15] The Unicode Consortium, "Unicode Standard Annex #15:
Unicode Normalization Forms", August 2012, Unicode Normalization Forms", August 2012,
<http://unicode.org/reports/tr15/>. <http://unicode.org/reports/tr15/>.
[UTR36] The Unicode Consortium, "Unicode Technical Report #36: [UTR36] The Unicode Consortium, "Unicode Technical Report #36:
Unicode Security Considerations", July 2012, Unicode Security Considerations", July 2012,
<http://unicode.org/reports/tr36/>. <http://unicode.org/reports/tr36/>.
[UTR39] The Unicode Consortium, "Unicode Technical Report #39: [UTS39] The Unicode Consortium, "Unicode Technical Standard #39:
Unicode Security Mechanisms", July 2012, Unicode Security Mechanisms", July 2012,
<http://unicode.org/reports/tr39/>. <http://unicode.org/reports/tr39/>.
URIs URIs
[1] <http://unicode.org/Public/UNIDATA/PropertyAliases.txt> [1] <http://unicode.org/Public/UNIDATA/PropertyAliases.txt>
[2] <http://unicode.org/Public/UNIDATA/DerivedCoreProperties.txt> [2] <http://unicode.org/Public/UNIDATA/DerivedCoreProperties.txt>
Appendix A. Codepoint Table Appendix A. Codepoint Table
 End of changes. 14 change blocks. 
30 lines changed or deleted 25 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/