draft-ietf-precis-framework-18.txt   draft-ietf-precis-framework-19.txt 
PRECIS P. Saint-Andre PRECIS P. Saint-Andre
Internet-Draft &yet Internet-Draft &yet
Obsoletes: 3454 (if approved) M. Blanchet Obsoletes: 3454 (if approved) M. Blanchet
Intended status: Standards Track Viagenie Intended status: Standards Track Viagenie
Expires: March 6, 2015 September 2, 2014 Expires: April 26, 2015 October 23, 2014
PRECIS Framework: Preparation and Comparison of Internationalized PRECIS Framework: Preparation, Enforcement, and Comparison of
Strings in Application Protocols Internationalized Strings in Application Protocols
draft-ietf-precis-framework-18 draft-ietf-precis-framework-19
Abstract Abstract
Application protocols using Unicode characters in protocol strings Application protocols using Unicode characters in protocol strings
need to properly prepare such strings in order to perform valid need to properly handle such strings in order to enforce
internationalization rules for strings placed in various protocol
slots (such as addresses and identifiers) and to perform valid
comparison operations (e.g., for purposes of authentication or comparison operations (e.g., for purposes of authentication or
authorization). This document defines a framework enabling authorization). This document defines a framework enabling
application protocols to perform the preparation and comparison of application protocols to perform the preparation, enforcements, and
internationalized strings ("PRECIS") in a way that depends on the comparison of internationalized strings ("PRECIS") in a way that
properties of Unicode characters and thus is agile with respect to depends on the properties of Unicode characters and thus is agile
versions of Unicode. As a result, this framework provides a more with respect to versions of Unicode. As a result, this framework
sustainable approach to the handling of internationalized strings provides a more sustainable approach to the handling of
than the previous framework, known as Stringprep (RFC 3454). This internationalized strings than the previous framework, known as
document obsoletes RFC 3454. Stringprep (RFC 3454). This document obsoletes RFC 3454.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 6, 2015. This Internet-Draft will expire on April 26, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. String Classes . . . . . . . . . . . . . . . . . . . . . . . 6 3. Preparation, Enforcement, and Comparison . . . . . . . . . . 6
3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6 4. String Classes . . . . . . . . . . . . . . . . . . . . . . . 7
3.2. IdentifierClass . . . . . . . . . . . . . . . . . . . . . 7 4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.1. Valid . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. IdentifierClass . . . . . . . . . . . . . . . . . . . . . 8
3.2.2. Contextual Rule Required . . . . . . . . . . . . . . 8 4.2.1. Valid . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3. Disallowed . . . . . . . . . . . . . . . . . . . . . 8 4.2.2. Contextual Rule Required . . . . . . . . . . . . . . 9
3.2.4. Unassigned . . . . . . . . . . . . . . . . . . . . . 9 4.2.3. Disallowed . . . . . . . . . . . . . . . . . . . . . 9
3.2.5. Examples . . . . . . . . . . . . . . . . . . . . . . 9 4.2.4. Unassigned . . . . . . . . . . . . . . . . . . . . . 10
3.3. FreeformClass . . . . . . . . . . . . . . . . . . . . . . 9 4.2.5. Examples . . . . . . . . . . . . . . . . . . . . . . 10
3.3.1. Valid . . . . . . . . . . . . . . . . . . . . . . . . 9 4.3. FreeformClass . . . . . . . . . . . . . . . . . . . . . . 10
3.3.2. Contextual Rule Required . . . . . . . . . . . . . . 10 4.3.1. Valid . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3.3. Disallowed . . . . . . . . . . . . . . . . . . . . . 10 4.3.2. Contextual Rule Required . . . . . . . . . . . . . . 11
3.3.4. Unassigned . . . . . . . . . . . . . . . . . . . . . 10 4.3.3. Disallowed . . . . . . . . . . . . . . . . . . . . . 11
3.3.5. Examples . . . . . . . . . . . . . . . . . . . . . . 10 4.3.4. Unassigned . . . . . . . . . . . . . . . . . . . . . 11
4. Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.3.5. Examples . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Principles . . . . . . . . . . . . . . . . . . . . . . . 11 5. Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1.1. Width Mapping . . . . . . . . . . . . . . . . . . . . 11 5.1. Profiles Must Not Be Multiplied Beyond Necessity . . . . 12
4.1.2. Additional Mappings . . . . . . . . . . . . . . . . . 12 5.2. Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1.3. Case Mapping . . . . . . . . . . . . . . . . . . . . 12 5.2.1. Width Mapping Rule . . . . . . . . . . . . . . . . . 13
4.1.4. Normalization . . . . . . . . . . . . . . . . . . . . 12 5.2.2. Additional Mapping Rule . . . . . . . . . . . . . . . 13
4.1.5. Directionality . . . . . . . . . . . . . . . . . . . 12 5.2.3. Case Mapping Rule . . . . . . . . . . . . . . . . . . 14
4.1.6. Exclusions . . . . . . . . . . . . . . . . . . . . . 13 5.2.4. Normalization Rule . . . . . . . . . . . . . . . . . 14
4.2. Building Application-Layer Constructs . . . . . . . . . . 13 5.2.5. Exclusion Rule . . . . . . . . . . . . . . . . . . . 14
4.3. A Note about Spaces . . . . . . . . . . . . . . . . . . . 14 5.2.6. Directionality Rule . . . . . . . . . . . . . . . . . 15
5. Order of Operations . . . . . . . . . . . . . . . . . . . . . 14 5.3. Building Application-Layer Constructs . . . . . . . . . . 15
6. Code Point Properties . . . . . . . . . . . . . . . . . . . . 15 5.4. A Note about Spaces . . . . . . . . . . . . . . . . . . . 16
7. Category Definitions Used to Calculate Derived Property . . . 18 6. Order of Operations . . . . . . . . . . . . . . . . . . . . . 17
7.1. LetterDigits (A) . . . . . . . . . . . . . . . . . . . . 18 7. Code Point Properties . . . . . . . . . . . . . . . . . . . . 17
7.2. Unstable (B) . . . . . . . . . . . . . . . . . . . . . . 18 8. Category Definitions Used to Calculate Derived Property . . . 20
7.3. IgnorableProperties (C) . . . . . . . . . . . . . . . . . 19 8.1. LetterDigits (A) . . . . . . . . . . . . . . . . . . . . 20
7.4. IgnorableBlocks (D) . . . . . . . . . . . . . . . . . . . 19 8.2. Unstable (B) . . . . . . . . . . . . . . . . . . . . . . 21
7.5. LDH (E) . . . . . . . . . . . . . . . . . . . . . . . . . 19 8.3. IgnorableProperties (C) . . . . . . . . . . . . . . . . . 21
7.6. Exceptions (F) . . . . . . . . . . . . . . . . . . . . . 19 8.4. IgnorableBlocks (D) . . . . . . . . . . . . . . . . . . . 21
7.7. BackwardCompatible (G) . . . . . . . . . . . . . . . . . 19 8.5. LDH (E) . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.8. JoinControl (H) . . . . . . . . . . . . . . . . . . . . . 19 8.6. Exceptions (F) . . . . . . . . . . . . . . . . . . . . . 21
7.9. OldHangulJamo (I) . . . . . . . . . . . . . . . . . . . . 20 8.7. BackwardCompatible (G) . . . . . . . . . . . . . . . . . 21
7.10. Unassigned (J) . . . . . . . . . . . . . . . . . . . . . 20 8.8. JoinControl (H) . . . . . . . . . . . . . . . . . . . . . 22
7.11. ASCII7 (K) . . . . . . . . . . . . . . . . . . . . . . . 20 8.9. OldHangulJamo (I) . . . . . . . . . . . . . . . . . . . . 22
7.12. Controls (L) . . . . . . . . . . . . . . . . . . . . . . 20 8.10. Unassigned (J) . . . . . . . . . . . . . . . . . . . . . 22
7.13. PrecisIgnorableProperties (M) . . . . . . . . . . . . . . 20 8.11. ASCII7 (K) . . . . . . . . . . . . . . . . . . . . . . . 22
7.14. Spaces (N) . . . . . . . . . . . . . . . . . . . . . . . 21 8.12. Controls (L) . . . . . . . . . . . . . . . . . . . . . . 22
7.15. Symbols (O) . . . . . . . . . . . . . . . . . . . . . . . 21 8.13. PrecisIgnorableProperties (M) . . . . . . . . . . . . . . 22
7.16. Punctuation (P) . . . . . . . . . . . . . . . . . . . . . 21 8.14. Spaces (N) . . . . . . . . . . . . . . . . . . . . . . . 23
7.17. HasCompat (Q) . . . . . . . . . . . . . . . . . . . . . . 21 8.15. Symbols (O) . . . . . . . . . . . . . . . . . . . . . . . 23
7.18. OtherLetterDigits (R) . . . . . . . . . . . . . . . . . . 21 8.16. Punctuation (P) . . . . . . . . . . . . . . . . . . . . . 23
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 8.17. HasCompat (Q) . . . . . . . . . . . . . . . . . . . . . . 23
8.1. PRECIS Derived Property Value Registry . . . . . . . . . 21 8.18. OtherLetterDigits (R) . . . . . . . . . . . . . . . . . . 23
8.2. PRECIS Base Classes Registry . . . . . . . . . . . . . . 22 9. Guidelines for Designated Experts . . . . . . . . . . . . . . 24
8.3. PRECIS Profiles Registry . . . . . . . . . . . . . . . . 22 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
9. Security Considerations . . . . . . . . . . . . . . . . . . . 24 10.1. PRECIS Derived Property Value Registry . . . . . . . . . 24
9.1. General Issues . . . . . . . . . . . . . . . . . . . . . 24 10.2. PRECIS Base Classes Registry . . . . . . . . . . . . . . 24
9.2. Use of the IdentifierClass . . . . . . . . . . . . . . . 25 10.3. PRECIS Profiles Registry . . . . . . . . . . . . . . . . 25
9.3. Use of the FreeformClass . . . . . . . . . . . . . . . . 25 11. Security Considerations . . . . . . . . . . . . . . . . . . . 27
9.4. Local Character Set Issues . . . . . . . . . . . . . . . 26 11.1. General Issues . . . . . . . . . . . . . . . . . . . . . 27
9.5. Visually Similar Characters . . . . . . . . . . . . . . . 26 11.2. Use of the IdentifierClass . . . . . . . . . . . . . . . 28
9.6. Security of Passwords . . . . . . . . . . . . . . . . . . 28 11.3. Use of the FreeformClass . . . . . . . . . . . . . . . . 28
10. Interoperability Considerations . . . . . . . . . . . . . . . 29 11.4. Local Character Set Issues . . . . . . . . . . . . . . . 28
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 11.5. Visually Similar Characters . . . . . . . . . . . . . . 28
11.1. Normative References . . . . . . . . . . . . . . . . . . 29 11.6. Security of Passwords . . . . . . . . . . . . . . . . . 30
11.2. Informative References . . . . . . . . . . . . . . . . . 30 12. Interoperability Considerations . . . . . . . . . . . . . . . 31
11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 32 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 32
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 32 13.1. Normative References . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 13.2. Informative References . . . . . . . . . . . . . . . . . 32
13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36
1. Introduction 1. Introduction
As described in the problem statement for the preparation and Application protocols using Unicode characters [Unicode7.0] in
comparison of internationalized strings ("PRECIS") [RFC6885], many protocol strings need to properly handle such strings in order to
IETF protocols have used the Stringprep framework [RFC3454] as the enforce internationalization rules for strings placed in various
basis for preparing and comparing protocol strings that contain protocol slots (such as addresses and identifiers) and to perform
Unicode characters [Unicode7.0] outside the ASCII range [RFC20]. The valid comparison operations (e.g., for purposes of authentication or
Stringprep framework was developed during work on the original authorization). This document defines a framework enabling
technology for internationalized domain names (IDNs), here called application protocols to perform the preparation, enforcement, and
"IDNA2003" [RFC3490], and Nameprep [RFC3491] was the Stringprep comparison of internationalized strings ("PRECIS") in a way that
profile for IDNs. At the time, Stringprep was designed as a general depends on the properties of Unicode characters and thus is agile
framework so that other application protocols could define their own with respect to versions of Unicode.
Stringprep profiles for the preparation and comparison of strings and
identifiers. Indeed, a number of application protocols defined such As described in the PRECIS problem statement [RFC6885], many IETF
profiles. protocols have used the Stringprep framework [RFC3454] as the basis
for preparing, enforcing, and comparing protocol strings that contain
Unicode characters, especially characters outside the ASCII range
[RFC20]. The Stringprep framework was developed during work on the
original technology for internationalized domain names (IDNs), here
called "IDNA2003" [RFC3490], and Nameprep [RFC3491] was the
Stringprep profile for IDNs. At the time, Stringprep was designed as
a general framework so that other application protocols could define
their own Stringprep profiles. Indeed, a number of application
protocols defined such profiles.
After the publication of [RFC3454] in 2002, several significant After the publication of [RFC3454] in 2002, several significant
issues arose with the use of Stringprep in the IDN case, as issues arose with the use of Stringprep in the IDN case, as
documented in the IAB's recommendations regarding IDNs [RFC4690] documented in the IAB's recommendations regarding IDNs [RFC4690]
(most significantly, Stringprep was tied to Unicode version 3.2). (most significantly, Stringprep was tied to Unicode version 3.2).
Therefore, the newer IDNA specifications, here called "IDNA2008" Therefore, the newer IDNA specifications, here called "IDNA2008"
([RFC5890], [RFC5891], [RFC5892], [RFC5893], [RFC5894]), no longer ([RFC5890], [RFC5891], [RFC5892], [RFC5893], [RFC5894]), no longer
use Stringprep and Nameprep. This migration away from Stringprep for use Stringprep and Nameprep. This migration away from Stringprep for
IDNs has prompted other "customers" of Stringprep to consider new IDNs prompted other "customers" of Stringprep to consider new
approaches to the preparation and comparison of internationalized approaches to the preparation, enforcement, and comparison of
strings, as described in [RFC6885]. internationalized strings, as described in [RFC6885].
This document defines a framework for a post-Stringprep approach to This document defines a framework for a post-Stringprep approach to
the preparation and comparison of internationalized strings in the preparation, enforcement, and comparison of internationalized
application protocols, based on several principles: strings in application protocols, based on several principles:
1. Define a small set of string classes that specify the Unicode 1. Define a small set of string classes that specify the Unicode
characters (i.e., specific "code points") appropriate for common characters (i.e., specific "code points") appropriate for common
application protocol constructs. application protocol constructs.
2. Define each PRECIS string class in terms of Unicode code points 2. Define each PRECIS string class in terms of Unicode code points
and their properties so that an algorithm can be used to and their properties so that an algorithm can be used to
determine whether each code point or character category is (a) determine whether each code point or character category is (a)
valid, (b) allowed in certain contexts, (c) disallowed, or (d) valid, (b) allowed in certain contexts, (c) disallowed, or (d)
unassigned. unassigned.
3. Use an "inclusion model" such that a string class consists only 3. Use an "inclusion model" such that a string class consists only
of code points that are explicitly allowed, with the result that of code points that are explicitly allowed, with the result that
any code point not explicitly allowed is forbidden. any code point not explicitly allowed is forbidden.
4. Enable application protocols to define profiles of the PRECIS 4. Enable application protocols to define profiles of the PRECIS
string classes, addressing matters such as width mapping, case string classes if necessary, addressing matters such as width
folding and other forms of character mapping, Unicode mapping, case mapping, Unicode normalization, directionality, and
normalization, directionality, and further excluded code points further excluded code points or character categories.
or character categories.
It is expected that this framework will yield the following benefits:
o Application protocols will be agile with regard to Unicode
versions.
o Implementers will be able to share code point tables and software
code across application protocols, most likely by means of
software libraries.
o End users will be able to acquire more accurate expectations about
the characters that are acceptable in various contexts. Given
this more uniform set of string classes, it is also expected that
copy/paste operations between software implementing different
application protocols will be more predictable and coherent.
Whereas the string classes define the "baseline" code points for a Whereas the string classes define the "baseline" code points for a
range of applications, profiling enables application protocols to range of applications, profiling enables application protocols to
further restrict the allowable code points beyond those specified for further restrict the allowable code points beyond those specified for
the relevant string class (e.g., characters with special or reserved the relevant string class (e.g., characters with special or reserved
meaning, such as "@" and "/" when used as separators within meaning, such as "@" and "/" when used as separators within
identifiers) and to apply the string classes in ways that are identifiers) and to apply the string classes in ways that are
appropriate for constructs such as usernames and passwords appropriate for constructs such as usernames and passwords
[I-D.ietf-precis-saslprepbis], nicknames [I-D.ietf-precis-nickname], [I-D.ietf-precis-saslprepbis], nicknames [I-D.ietf-precis-nickname],
the localparts of instant messaging addresses the localparts of instant messaging addresses
skipping to change at page 5, line 10 skipping to change at page 5, line 40
[I-D.ietf-xmpp-6122bis]. Profiles are responsible for defining the [I-D.ietf-xmpp-6122bis]. Profiles are responsible for defining the
handling of right-to-left characters as well as various mapping handling of right-to-left characters as well as various mapping
operations of the kind also discussed for IDNs in [RFC5895], such as operations of the kind also discussed for IDNs in [RFC5895], such as
case preservation or lowercasing, Unicode normalization, mapping of case preservation or lowercasing, Unicode normalization, mapping of
certain characters to other characters or to nothing, and mapping of certain characters to other characters or to nothing, and mapping of
full-width and half-width characters. full-width and half-width characters.
When an application applies a profile of a PRECIS string class, it When an application applies a profile of a PRECIS string class, it
can achieve the following objectives: can achieve the following objectives:
a. Determine if a given string conforms to the profile (e.g. to a. Determine if a given string conforms to the profile, thus
determine if it is allowed for use in the relevant "slot" enabling enforcement of the rules (e.g., to determine if a string
specified by an application protocol). is allowed for use in the relevant "slot" specified by an
application protocol).
b. Determine if any two given strings are equivalent (e.g., to make
an access decision for purposes of authentication or
authorization as further described in [RFC6943]).
It is expected that this framework will yield the following benefits:
o Application protocols will be agile with regard to Unicode
versions.
o Implementers will be able to share code point tables and software b. Determine if any two given strings are equivalent, thus enabling
code across application protocols, most likely by means of comparision (e.g., to make an access decision for purposes of
software libraries. authentication or authorization as further described in
[RFC6943]).
o End users will be able to acquire more accurate expectations about The opportunity to define profiles naturally introduces the
the characters that are acceptable in various contexts. Given possibility of a proliferation of profiles, thus potentially
this more uniform set of string classes, it is also expected that mitigating the benefits of common code and violating user
copy/paste operations between software implementing different expectations. See Section 5 for a discussion of this important
application protocols will be more predictable and coherent. topic.
Although this framework is similar to IDNA2008 and borrows some of Although this framework is similar to IDNA2008 and borrows some of
the character categories defined in [RFC5892], it defines additional the character categories defined in [RFC5892], it defines additional
character categories to meet the needs of common application character categories to meet the needs of common application
protocols. protocols.
The character categories and calculation rules defined under The character categories and calculation rules defined under
Section 7 and Section 6 are normative and apply to all Unicode code Section 7 and Section 8 are normative and apply to all Unicode code
points. The code point table that results from applying the points. The code point table that results from applying the
character categories and calculation rules to the latest version of character categories and calculation rules to the latest version of
Unicode are provided in an IANA registry. Unicode are provided in an IANA registry.
2. Terminology 2. Terminology
Many important terms used in this document are defined in [RFC5890], Many important terms used in this document are defined in [RFC5890],
[RFC6365], [RFC6885], and [Unicode7.0]. The terms "left-to-right" [RFC6365], [RFC6885], and [Unicode7.0]. The terms "left-to-right"
(LTR) and "right-to-left" (RTL) are defined in Unicode Standard Annex (LTR) and "right-to-left" (RTL) are defined in Unicode Standard Annex
#9 [UAX9]. #9 [UAX9].
skipping to change at page 6, line 15 skipping to change at page 6, line 35
As of the date of writing, the version of Unicode published by the As of the date of writing, the version of Unicode published by the
Unicode Consortium is 6.3 [Unicode7.0]; however, PRECIS is not tied Unicode Consortium is 6.3 [Unicode7.0]; however, PRECIS is not tied
to a specific version of Unicode. The latest version of Unicode is to a specific version of Unicode. The latest version of Unicode is
always available [UnicodeCurrent]. always available [UnicodeCurrent].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
3. String Classes 3. Preparation, Enforcement, and Comparison
3.1. Overview This document distinguishes between three different actions that an
entity can take with regard to a string:
o Enforcement entails applying all of the rules specified for a
particular string class or profile thereof to an individual
string, for the purpose of determining if the string can be used
in a given protocol slot.
o Comparison entails applying all of the rules specified for a
particular string class or profile thereof to two separate
strings, for the purpose of determining if the two strings are
equivalent.
o Preparation entails only ensuring that the characters in an
individual string are allowed by the underlying PRECIS string
class.
In most cases, authoritative entities such as servers are responsible
for enforcement and subsidiary entities such as clients are
responsible only for preparation. The rationale for this distinction
is that clients might not have the facilities (in terms of device
memory and processing power) to enforce all the rules regarding
internationalized strings (such as width mapping and Unicode
normalization), although often they can limit the repertoire of
characters they offer to an end user. By contrast, it is assumed
that a server would have more capacity to enforce the rules, and in
any case acts as an authority regarding allowable strings in protocol
slots such as addresses and endpoint identifiers (since a client
cannot necessarily be trusted to properly generate such strings,
especially for security-sensitive contexts such as authentication and
authorization).
4. String Classes
4.1. Overview
Starting in 2010, various "customers" of Stringprep began to discuss Starting in 2010, various "customers" of Stringprep began to discuss
the need to define a post-Stringprep approach to the preparation and the need to define a post-Stringprep approach to the preparation and
comparison of internationalized strings other than IDNs. This comparison of internationalized strings other than IDNs. This
community analyzed the existing Stringprep profiles and also weighed community analyzed the existing Stringprep profiles and also weighed
the costs and benefits of defining a relatively small set of Unicode the costs and benefits of defining a relatively small set of Unicode
characters that would minimize the potential for user confusion characters that would minimize the potential for user confusion
caused by visually similar characters (and thus be relatively "safe") caused by visually similar characters (and thus be relatively "safe")
vs. defining a much larger set of Unicode characters that would vs. defining a much larger set of Unicode characters that would
maximize the potential for user creativity (and thus be relatively maximize the potential for user creativity (and thus be relatively
skipping to change at page 6, line 48 skipping to change at page 8, line 8
FreeformClass: a sequence of letters, numbers, symbols, spaces, and FreeformClass: a sequence of letters, numbers, symbols, spaces, and
other characters that is used for free-form strings, including other characters that is used for free-form strings, including
passwords as well as display elements such as human-friendly passwords as well as display elements such as human-friendly
nicknames in chatrooms; the intent is that this class will allow nicknames in chatrooms; the intent is that this class will allow
nearly any Unicode character, with the result that expressiveness nearly any Unicode character, with the result that expressiveness
has been prioritized over safety for this class (e.g., protocol has been prioritized over safety for this class (e.g., protocol
designers, application developers, service providers, and end designers, application developers, service providers, and end
users might not understand or be able to enter all of the users might not understand or be able to enter all of the
characters that can be included in the FreeformClass - see characters that can be included in the FreeformClass - see
Section 9.3 for details). Section 11.3 for details).
Future specifications might define additional PRECIS string classes, Future specifications might define additional PRECIS string classes,
such as a class that falls somewhere between the IdentifierClass and such as a class that falls somewhere between the IdentifierClass and
the FreeformClass. At this time, it is not clear how useful such a the FreeformClass. At this time, it is not clear how useful such a
class would be. In any case, because application developers are able class would be. In any case, because application developers are able
to define profiles of PRECIS string classes, a protocol needing a to define profiles of PRECIS string classes, a protocol needing a
construct between the IdentiferClass and the FreeformClass could construct between the IdentiferClass and the FreeformClass could
define a restricted profile of the FreeformClass if needed. define a restricted profile of the FreeformClass if needed.
The following subsections discuss the IdentifierClass and The following subsections discuss the IdentifierClass and
skipping to change at page 7, line 30 skipping to change at page 8, line 39
Disallowed: Defines which code points and character categories need Disallowed: Defines which code points and character categories need
to be excluded from the string. to be excluded from the string.
Unassigned: Defines application behavior in the presence of code Unassigned: Defines application behavior in the presence of code
points that are unknown (i.e., not yet designated) for the version points that are unknown (i.e., not yet designated) for the version
of Unicode used by the application. of Unicode used by the application.
This document defines the valid, contextual rule required, This document defines the valid, contextual rule required,
disallowed, and unassigned rules for the IdentifierClass and disallowed, and unassigned rules for the IdentifierClass and
FreeformClass. As described under Section 4, profiles of these FreeformClass. As described under Section 5, profiles of these
string classes are responsible for defining the width mapping, string classes are responsible for defining the width mapping,
additional mappings, case mapping, normalization, directionality, and additional mappings, case mapping, normalization, directionality, and
exclusion rules. exclusion rules.
3.2. IdentifierClass 4.2. IdentifierClass
Most application technologies need strings that can be used to refer Most application technologies need strings that can be used to refer
to, include, or communicate protocol strings like usernames, file to, include, or communicate protocol strings like usernames, file
names, data feed identifiers, and chatroom names. We group such names, data feed identifiers, and chatroom names. We group such
strings into a class called "IdentifierClass" having the following strings into a class called "IdentifierClass" having the following
features. features.
3.2.1. Valid 4.2.1. Valid
o Code points traditionally used as letters and numbers in writing o Code points traditionally used as letters and numbers in writing
systems, i.e., the LetterDigits ("A") category first defined in systems, i.e., the LetterDigits ("A") category first defined in
[RFC5892] and listed here under Section 7.1. [RFC5892] and listed here under Section 8.1.
o Code points in the range U+0021 through U+007E, i.e., the o Code points in the range U+0021 through U+007E, i.e., the
(printable) ASCII7 ("K") rule defined under Section 7.11. These (printable) ASCII7 ("K") rule defined under Section 8.11. These
code points are "grandfathered" into PRECIS and thus are valid code points are "grandfathered" into PRECIS and thus are valid
even if they would otherwise be disallowed according to the even if they would otherwise be disallowed according to the
property-based rules specified in the next section. property-based rules specified in the next section.
Note: Although the PRECIS IdentifierClass re-uses the LetterDigits Note: Although the PRECIS IdentifierClass re-uses the LetterDigits
category from IDNA2008, the range of characters allowed in the category from IDNA2008, the range of characters allowed in the
IdentifierClass is wider than the range of characters allowed in IdentifierClass is wider than the range of characters allowed in
IDNA2008. The main reason is that IDNA2008 applies the Unstable IDNA2008. The main reason is that IDNA2008 applies the Unstable
category before the LetterDigits category, thus disallowing category before the LetterDigits category, thus disallowing
uppercase characters, whereas the IdentifierClass does not apply uppercase characters, whereas the IdentifierClass does not apply
the Unstable category. the Unstable category.
3.2.2. Contextual Rule Required 4.2.2. Contextual Rule Required
o A number of characters from the Exceptions ("F") category defined o A number of characters from the Exceptions ("F") category defined
under Section 7.6 (see Section 7.6 for a full list). under Section 8.6 (see Section 8.6 for a full list).
o Joining characters, i.e., the JoinControl ("H") category defined o Joining characters, i.e., the JoinControl ("H") category defined
under Section 7.8. under Section 8.8.
3.2.3. Disallowed 4.2.3. Disallowed
o Old Hangul Jamo characters, i.e., the OldHangulJamo ("I") category o Old Hangul Jamo characters, i.e., the OldHangulJamo ("I") category
defined under Section 7.9. defined under Section 8.9.
o Control characters, i.e., the Controls ("L") category defined o Control characters, i.e., the Controls ("L") category defined
under Section 7.12. under Section 8.12.
o Ignorable characters, i.e., the PrecisIgnorableProperties ("M") o Ignorable characters, i.e., the PrecisIgnorableProperties ("M")
category defined under Section 7.13. category defined under Section 8.13.
o Space characters, i.e., the Spaces ("N") category defined under o Space characters, i.e., the Spaces ("N") category defined under
Section 7.14. Section 8.14.
o Symbol characters, i.e., the Symbols ("O") category defined under o Symbol characters, i.e., the Symbols ("O") category defined under
Section 7.15. Section 8.15.
o Punctuation characters, i.e., the Punctuation ("P") category o Punctuation characters, i.e., the Punctuation ("P") category
defined under Section 7.16. defined under Section 8.16.
o Any character that has a compatibility equivalent, i.e., the o Any character that has a compatibility equivalent, i.e., the
HasCompat ("Q") category defined under Section 7.17. These code HasCompat ("Q") category defined under Section 8.17. These code
points are disallowed even if they would otherwise be valid points are disallowed even if they would otherwise be valid
according to the property-based rules specified in the previous according to the property-based rules specified in the previous
section. section.
o Letters and digits other than the "traditional" letters and digits o Letters and digits other than the "traditional" letters and digits
allowed in IDNs, i.e., the OtherLetterDigits ("R") category allowed in IDNs, i.e., the OtherLetterDigits ("R") category
defined under Section 7.18. defined under Section 8.18.
3.2.4. Unassigned 4.2.4. Unassigned
Any code points that are not yet designated in the Unicode character Any code points that are not yet designated in the Unicode character
set are considered Unassigned for purposes of the IdentifierClass, set are considered Unassigned for purposes of the IdentifierClass,
and such code points are to be treated as Disallowed. and such code points are to be treated as Disallowed.
3.2.5. Examples 4.2.5. Examples
As described in the Introduction to this document, the string classes As described in the Introduction to this document, the string classes
do not handle all issues related to string preparation and comparison do not handle all issues related to string preparation and comparison
(such as case mapping); instead, such issues are handled at the level (such as case mapping); instead, such issues are handled at the level
of profiles. Examples for two profiles of the IdentifierClass can be of profiles. Examples for two profiles of the IdentifierClass can be
found in [I-D.ietf-precis-saslprepbis] (the UsernameIdentifierClass found in [I-D.ietf-precis-saslprepbis] (the UsernameIdentifierClass
profile) and in [I-D.ietf-xmpp-6122bis] (the JIDlocalIdentifierClass profile) and in [I-D.ietf-xmpp-6122bis] (the JIDlocalIdentifierClass
profile). profile).
3.3. FreeformClass 4.3. FreeformClass
Some application technologies need strings that can be used in a Some application technologies need strings that can be used in a
free-form way, e.g., as a password in an authentication exchange (see free-form way, e.g., as a password in an authentication exchange (see
[I-D.ietf-precis-saslprepbis]) or a nickname in a chatroom (see [I-D.ietf-precis-saslprepbis]) or a nickname in a chatroom (see
[I-D.ietf-precis-nickname]). We group such things into a class [I-D.ietf-precis-nickname]). We group such things into a class
called "FreeformClass" having the following features. called "FreeformClass" having the following features.
Security Warning: As mentioned, the FreeformClass prioritizes Security Warning: As mentioned, the FreeformClass prioritizes
expressiveness over safety; Section 9.3 describes some of the expressiveness over safety; Section 11.3 describes some of the
security hazards involved with using or profiling the security hazards involved with using or profiling the
FreeformClass. FreeformClass.
Security Warning: Consult Section 9.6 for relevant security Security Warning: Consult Section 11.6 for relevant security
considerations when strings conforming to the FreeformClass, or a considerations when strings conforming to the FreeformClass, or a
profile thereof, are used as passwords. profile thereof, are used as passwords.
3.3.1. Valid 4.3.1. Valid
o Traditional letters and numbers, i.e., the LetterDigits ("A") o Traditional letters and numbers, i.e., the LetterDigits ("A")
category first defined in [RFC5892] and listed here under category first defined in [RFC5892] and listed here under
Section 7.1. Section 8.1.
o Letters and digits other than the "traditional" letters and digits o Letters and digits other than the "traditional" letters and digits
allowed in IDNs, i.e., the OtherLetterDigits ("R") category allowed in IDNs, i.e., the OtherLetterDigits ("R") category
defined under Section 7.18. defined under Section 8.18.
o Code points in the range U+0021 through U+007E, i.e., the o Code points in the range U+0021 through U+007E, i.e., the
(printable) ASCII7 ("K") rule defined under Section 7.11. (printable) ASCII7 ("K") rule defined under Section 8.11.
o Any character that has a compatibility equivalent, i.e., the o Any character that has a compatibility equivalent, i.e., the
HasCompat ("Q") category defined under Section 7.17. HasCompat ("Q") category defined under Section 8.17.
o Space characters, i.e., the Spaces ("N") category defined under o Space characters, i.e., the Spaces ("N") category defined under
Section 7.14. Section 8.14.
o Symbol characters, i.e., the Symbols ("O") category defined under o Symbol characters, i.e., the Symbols ("O") category defined under
Section 7.15. Section 8.15.
o Punctuation characters, i.e., the Punctuation ("P") category o Punctuation characters, i.e., the Punctuation ("P") category
defined under Section 7.16. defined under Section 8.16.
3.3.2. Contextual Rule Required 4.3.2. Contextual Rule Required
o A number of characters from the Exceptions ("F") category defined o A number of characters from the Exceptions ("F") category defined
under Section 7.6 (see Section 7.6 for a full list). under Section 8.6 (see Section 8.6 for a full list).
o Joining characters, i.e., the JoinControl ("H") category defined o Joining characters, i.e., the JoinControl ("H") category defined
under Section 7.8. under Section 8.8.
3.3.3. Disallowed 4.3.3. Disallowed
o Old Hangul Jamo characters, i.e., the OldHangulJamo ("I") category o Old Hangul Jamo characters, i.e., the OldHangulJamo ("I") category
defined under Section 7.9. defined under Section 8.9.
o Control characters, i.e., the Controls ("L") category defined o Control characters, i.e., the Controls ("L") category defined
under Section 7.12. under Section 8.12.
o Ignorable characters, i.e., the PrecisIgnorableProperties ("M") o Ignorable characters, i.e., the PrecisIgnorableProperties ("M")
category defined under Section 7.13. category defined under Section 8.13.
3.3.4. Unassigned 4.3.4. Unassigned
Any code points that are not yet designated in the Unicode character Any code points that are not yet designated in the Unicode character
set are considered Unassigned for purposes of the FreeformClass, and set are considered Unassigned for purposes of the FreeformClass, and
such code points are to be treated as Disallowed. such code points are to be treated as Disallowed.
3.3.5. Examples 4.3.5. Examples
As described in the Introduction to this document, the string classes As described in the Introduction to this document, the string classes
do not handle all issues related to string preparation and comparison do not handle all issues related to string preparation and comparison
(such as case mapping); instead, such issues are handled at the level (such as case mapping); instead, such issues are handled at the level
of profiles. Examples for two profiles of the FreeformClass can be of profiles. Examples for two profiles of the FreeformClass can be
found in [I-D.ietf-precis-nickname] (the NicknameFreeformClass found in [I-D.ietf-precis-nickname] (the NicknameFreeformClass
profile) and in [I-D.ietf-xmpp-6122bis] (the profile) and in [I-D.ietf-xmpp-6122bis] (the
JIDresourceIdentifierClass profile). JIDresourceIdentifierClass profile).
4. Profiles 5. Profiles
4.1. Principles
This framework document defines the valid, contextual-rule-required, This framework document defines the valid, contextual-rule-required,
disallowed, and unassigned rules for the IdentifierClass and the disallowed, and unassigned rules for the IdentifierClass and the
FreeformClass. A profile of a PRECIS string class MUST define the FreeformClass. A profile of a PRECIS string class MUST define the
width mapping, additional mappings (if any), case mapping, width mapping, additional mappings (if any), case mapping,
normalization, directionality, and exclusion rules. A profile MAY normalization, directionality, and exclusion rules. A profile MAY
also restrict the allowable characters above and beyond the also restrict the allowable characters above and beyond the
definition of the relevant PRECIS string class (but MUST NOT add as definition of the relevant PRECIS string class (but MUST NOT add as
valid any code points or character categories that are disallowed by valid any code points or character categories that are disallowed by
the relevant PRECIS string class). These matters are discussed in the relevant PRECIS string class). These matters are discussed in
the following subsections. the following subsections.
Profiles of the PRECIS string classes are registered with the IANA as Profiles of the PRECIS string classes are registered with the IANA as
described under Section 8.3. Profile names use the following described under Section 10.3. Profile names use the following
convention: they are of the form "ProfilenameBaseClass", where the convention: they are of the form "ProfilenameBaseClass", where the
"Profilename" string is a differentiator and "BaseClass" is the name "Profilename" string is a differentiator and "BaseClass" is the name
of the PRECIS string class being profiled; for example, the profile of the PRECIS string class being profiled; for example, the profile
of the IdentifierClass used for localparts of Jabber Identifiers of the IdentifierClass used for localparts of Jabber Identifiers
(JIDs) in the Extensible Messaging and Presence Protocol (XMPP) is (JIDs) in the Extensible Messaging and Presence Protocol (XMPP) is
named "JIDlocalIdentifierClass" [I-D.ietf-xmpp-6122bis]. named "JIDlocalIdentifierClass" [I-D.ietf-xmpp-6122bis].
4.1.1. Width Mapping 5.1. Profiles Must Not Be Multiplied Beyond Necessity
The risk of profile proliferation is significant because having too
many profiles will result in different behavior across various
applications, thus violating what is known in user interface design
as the Principle of Least Astonishment.
Indeed, we already have too many profiles. Ideally we would have at
most two or three profiles. Unfortunately, numerous application
protocols exist with their own quirks regarding protocol strings.
Domain names, email addresses, instant messaging addresses, chatroom
nicknames, filenames, authentication identifiers, passwords, and
other strings are already out there in the wild and need to be
supported in existing application protocols such as DNS, SMTP, XMPP,
IRC, NFS, iSCSI, EAP, and SASL among others.
Nevertheless, profiles must not be multiplied beyond necessity.
To help prevent profile proliferation, this document recommends
sensible defaults for the various options offered to profile creators
(such as width mapping and Unicode normalization). In addition, the
guidelines for designated experts provided under Section 9 are meant
to encourage a high level of due diligence regarding new profiles.
5.2. Rules
5.2.1. Width Mapping Rule
The width mapping rule of a profile specifies whether width mapping The width mapping rule of a profile specifies whether width mapping
is performed on fullwidth and halfwidth characters, and how the is performed on fullwidth and halfwidth characters, and how the
mapping is done. Typically such mapping consists of mapping mapping is done. Typically such mapping consists of mapping
fullwidth and halfwidth characters, i.e., code points with a fullwidth and halfwidth characters, i.e., code points with a
Decomposition Type of Wide or Narrow, to their decomposition Decomposition Type of Wide or Narrow, to their decomposition
mappings; as an example, FULLWIDTH DIGIT ZERO (U+FF10) would be mappings; as an example, FULLWIDTH DIGIT ZERO (U+FF10) would be
mapped to DIGIT ZERO (U+0030). mapped to DIGIT ZERO (U+0030).
The normalization form specified by a profile (see below) has an The normalization form specified by a profile (see below) has an
impact on the need for width mapping. Because width mapping is impact on the need for width mapping. Because width mapping is
performed as a part of compatibility decomposition, a profile performed as a part of compatibility decomposition, a profile
employing either normalization form KD (NFKD) or normalization form employing either normalization form KD (NFKD) or normalization form
KC (NFKC) does not need to specify width mapping. However, if KC (NFKC) does not need to specify width mapping. However, if
Unicode normalization form C (NFC) is used then the profile needs to Unicode normalization form C (NFC) is used (as is recommended) then
specify whether to apply width mapping; in this case, width mapping the profile needs to specify whether to apply width mapping; in this
is in general RECOMMENDED because allowing fullwidth and halfwidth case, width mapping is in general RECOMMENDED because allowing
characters to remain unmapped to their compatibility variants would fullwidth and halfwidth characters to remain unmapped to their
violate the principle of least user surprise. For more information compatibility variants would violate the Principle of Least
about the concept of width in East Asian scripts within Unicode, see Astonishment. For more information about the concept of width in
Unicode Standard Annex #11 [UAX11]. East Asian scripts within Unicode, see Unicode Standard Annex #11
[UAX11].
4.1.2. Additional Mappings 5.2.2. Additional Mapping Rule
The additional mappings rule of a profile specifies whether The additional mapping rule of a profile specifies whether additional
additional mappings are to be applied, such as mapping of delimiter mappings are to be applied, such as:
characters and mapping of special characters (e.g., non-ASCII space
characters to ASCII space or certain characters to nothing).
4.1.3. Case Mapping Mapping of delimiter characters (such as '@', ':', '/', '+', and
'-')
Mapping of special characters (e.g., non-ASCII space characters to
ASCII space or control characters to nothing).
The PRECIS mappings document [I-D.ietf-precis-mappings] describes
such mappings in more detail.
5.2.3. Case Mapping Rule
The case mapping rule of a profile specifies whether case mapping is The case mapping rule of a profile specifies whether case mapping is
performed (instead of case preservation) on uppercase and titlecase performed (instead of case preservation) on uppercase and titlecase
characters, and how the mapping is done (e.g., mapping uppercase and characters, and how the mapping is done (e.g., mapping uppercase and
titlecase characters to their lowercase equivalents). titlecase characters to their lowercase equivalents).
If case mapping is desired (instead of case preservation), it is If case mapping is desired (instead of case preservation), it is
RECOMMENDED to use Unicode Default Case Folding as defined in Chapter RECOMMENDED to use Unicode Default Case Folding as defined in Chapter
3 of the Unicode Standard [Unicode7.0]. 3 of the Unicode Standard [Unicode7.0].
skipping to change at page 12, line 39 skipping to change at page 14, line 32
In order to maximize entropy and minimize the potential for false In order to maximize entropy and minimize the potential for false
positives, it is NOT RECOMMENDED for application protocols to map positives, it is NOT RECOMMENDED for application protocols to map
uppercase and titlecase code points to their lowercase equivalents uppercase and titlecase code points to their lowercase equivalents
when strings conforming to the FreeformClass, or a profile thereof, when strings conforming to the FreeformClass, or a profile thereof,
are used in passwords; instead, it is RECOMMENDED to preserve the are used in passwords; instead, it is RECOMMENDED to preserve the
case of all code points contained in such strings and then perform case of all code points contained in such strings and then perform
case-sensitive comparison. See also the related discussion in case-sensitive comparison. See also the related discussion in
[I-D.ietf-precis-saslprepbis]. [I-D.ietf-precis-saslprepbis].
4.1.4. Normalization 5.2.4. Normalization Rule
The normalization rule of a profile specifies which Unicode The normalization rule of a profile specifies which Unicode
normalization form (D, KD, C, or KC) is to be applied (see Unicode normalization form (D, KD, C, or KC) is to be applied (see Unicode
Standard Annex #15 [UAX15] for background information). Standard Annex #15 [UAX15] for background information).
In accordance with [RFC5198], normalization form C (NFC) is In accordance with [RFC5198], normalization form C (NFC) is
RECOMMENDED. RECOMMENDED.
4.1.5. Directionality 5.2.5. Exclusion Rule
The exclusion rule of a profile specifies any particular characters
or character categories that are not allowed in strings conforming to
the profile, above and beyond those excluded by the string class
being profiled.
That is, a profile MAY do either of the following:
1. Exclude specific code points that are allowed by the relevant
string class.
2. Exclude characters matching certain Unicode properties (e.g.,
math symbols) that are included in the relevant PRECIS string
class.
As a result of such exclusions, code points that are defined as valid
for the PRECIS string class being profiled will be defined as
disallowed for the profile.
Typically, an exclusion rule is defined for the purpose of backward-
compatibility with legacy formats. Profiles for newly-defined string
types SHOULD NOT have an exclusion rule.
5.2.6. Directionality Rule
The directionality rule of a profile specifies how to treat strings The directionality rule of a profile specifies how to treat strings
containing left-to-right (LTR) and right-to-left (RTL) characters containing left-to-right (LTR) and right-to-left (RTL) characters
(see Unicode Standard Annex #9 [UAX9]). A profile usually specifies (see Unicode Standard Annex #9 [UAX9]). A profile usually specifies
a directionality rule that restricts strings to be entirely LTR a directionality rule that restricts strings to be entirely LTR
strings or entirely RTL strings and defines the allowable sequences strings or entirely RTL strings and defines the allowable sequences
of characters in LTR and RTL strings. Possible rules include, but of characters in LTR and RTL strings. Possible rules include, but
are not limited to, (a) considering any string that contains a right- are not limited to, (a) considering any string that contains a right-
to-left code point to be a right-to-left string, or (b) applying the to-left code point to be a right-to-left string, or (b) applying the
"Bidi Rule" from [RFC5893]. "Bidi Rule" from [RFC5893].
Mixed-direction strings are not directly supported by the PRECIS Mixed-direction strings are not directly supported by the PRECIS
framework itself, since there is currently no widely accepted and framework itself, since there is currently no widely accepted and
implemented solution for the safe display of mixed-direction strings. implemented solution for the safe display of mixed-direction strings.
An application protocol that uses the PRECIS framework (or an An application protocol that uses the PRECIS framework (or an
extension to the framework) could define better ways to present extension to the framework) could define better ways to present
mixed-direction strings; however, that work is outside the scope of mixed-direction strings; however, that work is outside the scope of
this framework and would likely require a great deal of careful this framework and would likely require a great deal of careful
research into the problems of displaying bidirectional text. research into the problems of displaying bidirectional text.
4.1.6. Exclusions 5.3. Building Application-Layer Constructs
The exclusions rule of a profile specifies whether the profile
excludes additional code points or character categories above and
beyond those excluded by the string class being profiled. That is, a
profile MAY do either of the following:
1. Exclude specific code points that are allowed by the relevant
string class.
2. Exclude characters matching certain Unicode properties (e.g.,
math symbols) that are included in the relevant PRECIS string
class.
As a result of such exclusions, code points that are defined as valid
for the PRECIS string class being profiled will be defined as
disallowed for the profile.
4.2. Building Application-Layer Constructs
Sometimes, an application-layer construct does not map in a Sometimes, an application-layer construct does not map in a
straightforward manner to one of the base string classes or a profile straightforward manner to one of the base string classes or a profile
thereof. Consider, for example, the "simple user name" construct in thereof. Consider, for example, the "simple user name" construct in
the Simple Authentication and Security Layer (SASL) [RFC4422]. the Simple Authentication and Security Layer (SASL) [RFC4422].
Depending on the deployment, a simple user name might take the form Depending on the deployment, a simple user name might take the form
of a user's full name (e.g., the user's personal name followed by a of a user's full name (e.g., the user's personal name followed by a
space and then the user's family name). Such a simple user name space and then the user's family name). Such a simple user name
cannot be defined as an instance of the IdentifierClass or a profile cannot be defined as an instance of the IdentifierClass or a profile
thereof, since space characters are not allowed in the thereof, since space characters are not allowed in the
IdentifierClass; however, it could be defined using a space-separated IdentifierClass; however, it could be defined using a space-separated
sequence of IdentifierClass instances, as in the following pseudo- sequence of IdentifierClass instances, as in the following ABNF
ABNF [RFC5234]: [RFC5234] from [I-D.ietf-precis-saslprepbis]:
fullname = namepart *(1*SP namepart) username = userpart [1*(1*SP userpart)]
namepart = 1*idpoint userpart = 1*(idbyte)
; ;
; an "idpoint" is a UTF-8 encoded Unicode code point ; an "idbyte" is a byte used to represent a
; that conforms to the PRECIS IdentifierClass ; UTF-8 encoded Unicode code point that can be
; contained in a string that conforms to the
; PRECIS "IdentifierClass"
;
Similar techniques could be used to define many application-layer Similar techniques could be used to define many application-layer
constructs, say of the form "user@domain" or "/path/to/file". constructs, say of the form "user@domain" or "/path/to/file".
4.3. A Note about Spaces 5.4. A Note about Spaces
With regard to the IdentiferClass, the consensus of the PRECIS With regard to the IdentiferClass, the consensus of the PRECIS
Working Group was that spaces are problematic for many reasons, Working Group was that spaces are problematic for many reasons,
including: including:
o Many Unicode characters are confusable with ASCII space. o Many Unicode characters are confusable with ASCII space.
o Even if non-ASCII space characters are mapped to ASCII space o Even if non-ASCII space characters are mapped to ASCII space
(U+0020), space characters are often not rendered in user (U+0020), space characters are often not rendered in user
interfaces, leading to the possibility that a human user might interfaces, leading to the possibility that a human user might
skipping to change at page 14, line 46 skipping to change at page 17, line 5
non-ASCII space characters) in identifiers and other protocol non-ASCII space characters) in identifiers and other protocol
strings, the Working Group considered this to be a feature, not a strings, the Working Group considered this to be a feature, not a
bug. bug.
However, the FreeformClass does allow spaces, which enables However, the FreeformClass does allow spaces, which enables
application protocols to define profiles of the FreeformClass that application protocols to define profiles of the FreeformClass that
are more flexible than any profiles of the IdentifierClass. In are more flexible than any profiles of the IdentifierClass. In
addition, as explained in the previous section, application protocols addition, as explained in the previous section, application protocols
can also define application-layer constructs containing spaces. can also define application-layer constructs containing spaces.
5. Order of Operations 6. Order of Operations
To ensure proper comparison, the following order of operations is To ensure proper comparison, the rules specified for a particular
REQUIRED: string class or profile MUST be applied in the following order:
1. Width mapping 1. Width Mapping Rule
2. Optionally, additional mappings such as mapping of delimiters
(e.g., characters such as '@', ':', '/', '+', and '-') and
special handling of certain characters or classes of characters
(e.g., mapping of non-ASCII spaces to ASCII space or mapping of
control characters to nothing); the PRECIS mappings document
[I-D.ietf-precis-mappings] describes such mappings in more detail
3. Case mapping as described under Section 4.1.3 of this document 2. Additional Mapping Rule
4. Normalization 3. Case Mapping Rule
5. Behavioral rules for determining whether a code point is valid, 4. Normalization Rule
5. Exclusion Rule
6. Behavioral rules for determining whether a code point is valid,
allowed under a contextual rule, disallowed, or unassigned allowed under a contextual rule, disallowed, or unassigned
As already described, the width mapping, additional mappings, case As already described, the width mapping, additional mapping, case
mapping, and normalization operations are specified for each profile, mapping, normalization, and exclusion rules are specified for each
whereas the behavioral rules are specified for each string class. profile, whereas the behavioral rules are specified for each string
Some of the logic behind this order is provided under Section 4.1.1 class. Some of the logic behind this order is provided under
(see also the PRECIS mappings document [I-D.ietf-precis-mappings]). Section 5.2.1 (see also the PRECIS mappings document
[I-D.ietf-precis-mappings]).
6. Code Point Properties 7. Code Point Properties
In order to implement the string classes described above, this In order to implement the string classes described above, this
document does the following: document does the following:
1. Reviews and classifies the collections of code points in the 1. Reviews and classifies the collections of code points in the
Unicode character set by examining various code point properties. Unicode character set by examining various code point properties.
2. Defines an algorithm for determining a derived property value, 2. Defines an algorithm for determining a derived property value,
which can vary depending on the string class being used by the which can vary depending on the string class being used by the
relevant application protocol. relevant application protocol.
skipping to change at page 17, line 50 skipping to change at page 20, line 8
The mechanisms described here allow determination of the value of the The mechanisms described here allow determination of the value of the
property for future versions of Unicode (including characters added property for future versions of Unicode (including characters added
after Unicode 5.2 or 7.0 depending on the category, since some after Unicode 5.2 or 7.0 depending on the category, since some
categories in this document are reused from IDNA2008 and therefore categories in this document are reused from IDNA2008 and therefore
were defined at the time of Unicode 5.2). Changes in Unicode were defined at the time of Unicode 5.2). Changes in Unicode
properties that do not affect the outcome of this process therefore properties that do not affect the outcome of this process therefore
do not affect this framework. For example, a character can have its do not affect this framework. For example, a character can have its
Unicode General_Category value (see Chapter 4 of the Unicode Standard Unicode General_Category value (see Chapter 4 of the Unicode Standard
[Unicode7.0]) change from So to Sm, or from Lo to Ll, without [Unicode7.0]) change from So to Sm, or from Lo to Ll, without
affecting the algorithm results. Moreover, even if such changes were affecting the algorithm results. Moreover, even if such changes were
to result, the BackwardCompatible list (Section 7.7) can be adjusted to result, the BackwardCompatible list (Section 8.7) can be adjusted
to ensure the stability of the results. to ensure the stability of the results.
7. Category Definitions Used to Calculate Derived Property 8. Category Definitions Used to Calculate Derived Property
The derived property obtains its value based on a two-step procedure: The derived property obtains its value based on a two-step procedure:
1. Characters are placed in one or more character categories either 1. Characters are placed in one or more character categories either
(1) based on core properties defined by the Unicode Standard or (1) based on core properties defined by the Unicode Standard or
(2) by treating the code point as an exception and addressing the (2) by treating the code point as an exception and addressing the
code point based on its code point value. These categories are code point based on its code point value. These categories are
not mutually exclusive. not mutually exclusive.
2. Set operations are used with these categories to determine the 2. Set operations are used with these categories to determine the
values for a property specific to a given string class. These values for a property specific to a given string class. These
operations are specified under Section 6. operations are specified under Section 7.
Note: Unicode property names and property value names might have Note: Unicode property names and property value names might have
short abbreviations, such as "gc" for the General_Category short abbreviations, such as "gc" for the General_Category
property and "Ll" for the Lowercase_Letter property value of the property and "Ll" for the Lowercase_Letter property value of the
gc property. gc property.
In the following specification of character categories, the operation In the following specification of character categories, the operation
that returns the value of a particular Unicode character property for that returns the value of a particular Unicode character property for
a code point is designated by using the formal name of that property a code point is designated by using the formal name of that property
(from the Unicode PropertyAliases.txt [1]) followed by '(cp)' for (from the Unicode PropertyAliases.txt [1]) followed by '(cp)' for
skipping to change at page 18, line 40 skipping to change at page 20, line 46
The first ten categories (A-J) shown below were previously defined The first ten categories (A-J) shown below were previously defined
for IDNA2008 and are copied directly from [RFC5892] to ease the for IDNA2008 and are copied directly from [RFC5892] to ease the
understanding of how PRECIS handles various characters. Some of understanding of how PRECIS handles various characters. Some of
these categories are reused in PRECIS and some of them are not; these categories are reused in PRECIS and some of them are not;
however, the lettering of categories is retained to prevent overlap however, the lettering of categories is retained to prevent overlap
and to ease implementation of both IDNA2008 and PRECIS in a single and to ease implementation of both IDNA2008 and PRECIS in a single
software application. The next eight categories (K-R) are specific software application. The next eight categories (K-R) are specific
to PRECIS. to PRECIS.
7.1. LetterDigits (A) 8.1. LetterDigits (A)
This category is defined in Secton 2.1 of [RFC5892] and is included This category is defined in Secton 2.1 of [RFC5892] and is included
by reference for use in PRECIS. by reference for use in PRECIS.
7.2. Unstable (B) 8.2. Unstable (B)
This category is defined in Secton 2.2 of [RFC5892] but not used in This category is defined in Secton 2.2 of [RFC5892] but not used in
PRECIS. PRECIS.
7.3. IgnorableProperties (C) 8.3. IgnorableProperties (C)
This category is defined in Secton 2.3 of [RFC5892] but not used in This category is defined in Secton 2.3 of [RFC5892] but not used in
PRECIS. PRECIS.
Note: See the "PrecisIgnorableProperties (M)" category below for a Note: See the "PrecisIgnorableProperties (M)" category below for a
more inclusive category used in PRECIS identifiers. more inclusive category used in PRECIS identifiers.
7.4. IgnorableBlocks (D) 8.4. IgnorableBlocks (D)
This category is defined in Secton 2.4 of [RFC5892] but not used in This category is defined in Secton 2.4 of [RFC5892] but not used in
PRECIS. PRECIS.
7.5. LDH (E) 8.5. LDH (E)
This category is defined in Secton 2.5 of [RFC5892] but not used in This category is defined in Secton 2.5 of [RFC5892] but not used in
PRECIS. PRECIS.
Note: See the "ASCII7 (K)" category below for a more inclusive Note: See the "ASCII7 (K)" category below for a more inclusive
category used in PRECIS identifiers. category used in PRECIS identifiers.
7.6. Exceptions (F) 8.6. Exceptions (F)
This category is defined in Secton 2.6 of [RFC5892] and is included This category is defined in Secton 2.6 of [RFC5892] and is included
by reference for use in PRECIS. by reference for use in PRECIS.
7.7. BackwardCompatible (G) 8.7. BackwardCompatible (G)
This category is defined in Secton 2.7 of [RFC5892] and is included This category is defined in Secton 2.7 of [RFC5892] and is included
by reference for use in PRECIS. by reference for use in PRECIS.
Note: Because of how the PRECIS string classes are defined, only Note: Because of how the PRECIS string classes are defined, only
changes that would result in code points being added to or removed changes that would result in code points being added to or removed
from the LetterDigits ("A") category would result in backward- from the LetterDigits ("A") category would result in backward-
incompatible modifications to code point assignments. Therefore, incompatible modifications to code point assignments. Therefore,
management of this category is handled via the processes specified in management of this category is handled via the processes specified in
[RFC5892]. At the time of this writing (and also at the time that [RFC5892]. At the time of this writing (and also at the time that
RFC 5892 was published), this category consisted of the empty set; RFC 5892 was published), this category consisted of the empty set;
however, that is subject to change as described in RFC 5892. however, that is subject to change as described in RFC 5892.
7.8. JoinControl (H) 8.8. JoinControl (H)
This category is defined in Secton 2.8 of [RFC5892] and is included This category is defined in Secton 2.8 of [RFC5892] and is included
by reference for use in PRECIS. by reference for use in PRECIS.
7.9. OldHangulJamo (I) 8.9. OldHangulJamo (I)
This category is defined in Secton 2.9 of [RFC5892] and is included This category is defined in Secton 2.9 of [RFC5892] and is included
by reference for use in PRECIS. by reference for use in PRECIS.
7.10. Unassigned (J) 8.10. Unassigned (J)
This category is defined in Secton 2.10 of [RFC5892] and is included This category is defined in Secton 2.10 of [RFC5892] and is included
by reference for use in PRECIS. by reference for use in PRECIS.
7.11. ASCII7 (K) 8.11. ASCII7 (K)
This PRECIS-specific category consists of all printable, non-space This PRECIS-specific category consists of all printable, non-space
characters from the 7-bit ASCII range. By applying this category, characters from the 7-bit ASCII range. By applying this category,
the algorithm specified under Section 6 exempts these characters from the algorithm specified under Section 7 exempts these characters from
other rules that might be applied during PRECIS processing, on the other rules that might be applied during PRECIS processing, on the
assumption that these code points are in such wide use that assumption that these code points are in such wide use that
disallowing them would be counter-productive. disallowing them would be counter-productive.
K: cp is in {0021..007E} K: cp is in {0021..007E}
7.12. Controls (L) 8.12. Controls (L)
L: Control(cp) = True L: Control(cp) = True
7.13. PrecisIgnorableProperties (M) 8.13. PrecisIgnorableProperties (M)
This PRECIS-specific category is used to group code points that are This PRECIS-specific category is used to group code points that are
discouraged from use in PRECIS string classes. discouraged from use in PRECIS string classes.
M: Default_Ignorable_Code_Point(cp) = True or M: Default_Ignorable_Code_Point(cp) = True or
Noncharacter_Code_Point(cp) = True Noncharacter_Code_Point(cp) = True
The definition for Default_Ignorable_Code_Point can be found in the The definition for Default_Ignorable_Code_Point can be found in the
DerivedCoreProperties.txt [2] file, and at the time of Unicode 7.0 is DerivedCoreProperties.txt [2] file, and at the time of Unicode 7.0 is
as follows: as follows:
Other_Default_Ignorable_Code_Point Other_Default_Ignorable_Code_Point
+ Cf (Format characters) + Cf (Format characters)
+ Variation_Selector + Variation_Selector
- White_Space - White_Space
- FFF9..FFFB (Annotation Characters) - FFF9..FFFB (Annotation Characters)
- 0600..0604, 06DD, 070F, 110BD (exceptional Cf characters - 0600..0604, 06DD, 070F, 110BD (exceptional Cf characters
that should be visible) that should be visible)
7.14. Spaces (N) 8.14. Spaces (N)
This PRECIS-specific category is used to group code points that are This PRECIS-specific category is used to group code points that are
space characters. space characters.
N: General_Category(cp) is in {Zs} N: General_Category(cp) is in {Zs}
7.15. Symbols (O) 8.15. Symbols (O)
This PRECIS-specific category is used to group code points that are This PRECIS-specific category is used to group code points that are
symbols. symbols.
O: General_Category(cp) is in {Sm, Sc, Sk, So} O: General_Category(cp) is in {Sm, Sc, Sk, So}
7.16. Punctuation (P) 8.16. Punctuation (P)
This PRECIS-specific category is used to group code points that are This PRECIS-specific category is used to group code points that are
punctuation characters. punctuation characters.
P: General_Category(cp) is in {Pc, Pd, Ps, Pe, Pi, Pf, Po} P: General_Category(cp) is in {Pc, Pd, Ps, Pe, Pi, Pf, Po}
7.17. HasCompat (Q) 8.17. HasCompat (Q)
This PRECIS-specific category is used to group code points that have This PRECIS-specific category is used to group code points that have
compatibility equivalents as explained in Chapter 2 and Chapter 3 of compatibility equivalents as explained in Chapter 2 and Chapter 3 of
the Unicode Standard [Unicode7.0]. the Unicode Standard [Unicode7.0].
Q: toNFKC(cp) != cp Q: toNFKC(cp) != cp
The toNFKC() operation returns the code point in normalization form The toNFKC() operation returns the code point in normalization form
KC. For more information, see Section 5 of Unicode Standard Annex KC. For more information, see Section 5 of Unicode Standard Annex
#15 [UAX15]. #15 [UAX15].
7.18. OtherLetterDigits (R) 8.18. OtherLetterDigits (R)
This PRECIS-specific category is used to group code points that are This PRECIS-specific category is used to group code points that are
letters and digits other than the "traditional" letters and digits letters and digits other than the "traditional" letters and digits
grouped under the LetterDigits (A) class (see Section 7.1). grouped under the LetterDigits (A) class (see Section 8.1).
R: General_Category(cp) is in {Lt, Nl, No, Me} R: General_Category(cp) is in {Lt, Nl, No, Me}
8. IANA Considerations 9. Guidelines for Designated Experts
8.1. PRECIS Derived Property Value Registry Experience with internationalization in application protocols has
shown that protocol designers usually do not understand the
subtleties and tradeoffs involved with internationalization and that
they need considerable guidance in making reasonable decisions with
regard to the options before them. Therefore, although the
registration policy for PRECIS profiles is Expert Review and a stable
specification is not strictly required, the designated experts for
profile registration requests ought to encourage applicants to
provide a stable specification documenting the profile.
Internationalization can be difficult and contentious; the designated
experts and applicants are strongly encouraged to work together in a
spirit of good faith and mutual understanding to achieve rough
consensus on progressing registrations through the process. They are
also encouraged to bring additional expertise into the discussion if
that would be helpful in adding perspective or otherwise resolving
issues.
Further considerations for profile registrants and designated experts
can be found under Section 10.3.
10. IANA Considerations
10.1. PRECIS Derived Property Value Registry
IANA is requested to create a PRECIS-specific registry with the IANA is requested to create a PRECIS-specific registry with the
Derived Properties for the versions of Unicode that are released Derived Properties for the versions of Unicode that are released
after (and including) version 7.0. The derived property value is to after (and including) version 7.0. The derived property value is to
be calculated in cooperation with a designated expert [RFC5226] be calculated in cooperation with a designated expert [RFC5226]
according to the rules specified under Section 7 and Section 6. according to the rules specified under Section 8 and Section 7.
The IESG is to be notified if backward-incompatible changes to the The IESG is to be notified if backward-incompatible changes to the
table of derived properties are discovered or if other problems arise table of derived properties are discovered or if other problems arise
during the process of creating the table of derived property values during the process of creating the table of derived property values
or during expert review. Changes to the rules defined under or during expert review. Changes to the rules defined under
Section 7 and Section 6 require IETF Review. Section 8 and Section 7 require IETF Review.
8.2. PRECIS Base Classes Registry 10.2. PRECIS Base Classes Registry
IANA is requested to create a registry of PRECIS string classes. In IANA is requested to create a registry of PRECIS string classes. In
accordance with [RFC5226], the registration policy is "RFC Required". accordance with [RFC5226], the registration policy is "RFC Required".
The registration template is as follows: The registration template is as follows:
Base Class: [the name of the PRECIS string class] Base Class: [the name of the PRECIS string class]
Description: [a brief description of the PRECIS string class and its Description: [a brief description of the PRECIS string class and its
intended use, e.g., "A sequence of letters, numbers, and symbols intended use, e.g., "A sequence of letters, numbers, and symbols
that is used to identify or address a network entity."] that is used to identify or address a network entity."]
Specification: [the RFC number] Specification: [the RFC number]
The initial registrations are as follows: The initial registrations are as follows:
Base Class: FreeformClass. Base Class: FreeformClass.
Description: A sequence of letters, numbers, symbols, spaces, and Description: A sequence of letters, numbers, symbols, spaces, and
skipping to change at page 22, line 44 skipping to change at page 25, line 26
[Note to RFC Editor: please change "this document" [Note to RFC Editor: please change "this document"
to the RFC number issued for this specification.] to the RFC number issued for this specification.]
Base Class: IdentifierClass. Base Class: IdentifierClass.
Description: A sequence of letters, numbers, and symbols that is Description: A sequence of letters, numbers, and symbols that is
used to identify or address a network entity. used to identify or address a network entity.
Specification: Section 3.2 of this document. Specification: Section 3.2 of this document.
[Note to RFC Editor: please change "this document" [Note to RFC Editor: please change "this document"
to the RFC number issued for this specification.] to the RFC number issued for this specification.]
8.3. PRECIS Profiles Registry 10.3. PRECIS Profiles Registry
IANA is requested to create a registry of profiles that use the IANA is requested to create a registry of profiles that use the
PRECIS string classes. In accordance with [RFC5226], the PRECIS string classes. In accordance with [RFC5226], the
registration policy is "Expert Review". This policy was chosen in registration policy is "Expert Review". This policy was chosen in
order to ease the burden of registration while ensuring that order to ease the burden of registration while ensuring that
"customers" of PRECIS receive appropriate guidance regarding the "customers" of PRECIS receive appropriate guidance regarding the
sometimes complex and subtle internationalization issues related to sometimes complex and subtle internationalization issues related to
profiles of PRECIS string classes. profiles of PRECIS string classes.
The registration template is as follows: The registration template is as follows:
skipping to change at page 23, line 19 skipping to change at page 25, line 48
Name: [the name of the profile] Name: [the name of the profile]
Applicability: [the specific protocol elements to which this profile Applicability: [the specific protocol elements to which this profile
applies, e.g., "Localparts in XMPP addresses."] applies, e.g., "Localparts in XMPP addresses."]
Base Class: [which PRECIS string class is being profiled] Base Class: [which PRECIS string class is being profiled]
Replaces: [the Stringprep profile that this PRECIS profile replaces, Replaces: [the Stringprep profile that this PRECIS profile replaces,
if any] if any]
Width Mapping: [the behavioral rule for handling of width, e.g., Width Mapping Rule: [the behavioral rule for handling of width,
"Map fullwidth and halfwidth characters to their compatibility e.g., "Map fullwidth and halfwidth characters to their
variants."] compatibility variants."]
Additional Mappings: [any additional mappings are required or Additional Mapping Rule: [any additional mappings are required or
recommended, e.g., "Map non-ASCII space characters to ASCII recommended, e.g., "Map non-ASCII space characters to ASCII
space."] space."]
Case Mapping: [the behavioral rule for handling of case, e.g., Case Mapping Rule: [the behavioral rule for handling of case, e.g.,
"Unicode Default Case Folding"] "Unicode Default Case Folding"]
Normalization: [which Unicode normalization form is applied, e.g., Normalization Rule: [which Unicode normalization form is applied,
"NFC"] e.g., "NFC"]
Directionality: [the behavioral rule for handling of right-to-left
code points, e.g., "The 'Bidi Rule' defined in RFC 5893 applies."]
Exclusions: [a brief description of the specific code points or Exclusion Rule: [a brief description of the specific code points or
characters categories are excluded, e.g., "Eight legacy characters characters categories are excluded, e.g., "Eight legacy characters
in the ASCII range" or "Any character that has a compatibility in the ASCII range" or "Any character that has a compatibility
equivalent, i.e., the HasCompat category"] equivalent, i.e., the HasCompat category"]
Directionality Rule: [the behavioral rule for handling of right-to-
left code points, e.g., "The 'Bidi Rule' defined in RFC 5893
applies."]
Enforcement: [which entities enforce the rules, and when that Enforcement: [which entities enforce the rules, and when that
enforcement occurs during protocol operations] enforcement occurs during protocol operations]
Specification: [a pointer to relevant documentation, such as an RFC Specification: [a pointer to relevant documentation, such as an RFC
or Internet-Draft] or Internet-Draft]
In order to request a review, the registrant shall send a completed In order to request a review, the registrant shall send a completed
template to the precis@ietf.org list or its designated successor. template to the precis@ietf.org list or its designated successor.
Factors to focus on while defining profiles and reviewing profile Factors to focus on while defining profiles and reviewing profile
skipping to change at page 24, line 27 skipping to change at page 27, line 9
etc.) and the use of conformant strings in protocol elements? etc.) and the use of conformant strings in protocol elements?
o Are the width mapping, case mapping, additional mappings, o Are the width mapping, case mapping, additional mappings,
normalization, exclusion, and directionality rules appropriate for normalization, exclusion, and directionality rules appropriate for
the intended use? the intended use?
o Does the profile explain which entities enforce the rules, and o Does the profile explain which entities enforce the rules, and
when such enforcement occurs during protocol operations? when such enforcement occurs during protocol operations?
o Does the profile reduce the degree to which human users could be o Does the profile reduce the degree to which human users could be
surprised or confused by application behavior (the "principle of surprised or confused by application behavior (the "Principle of
least user surprise")? Least Astonishment")?
o Does the profile introduce any new security concerns such as those o Does the profile introduce any new security concerns such as those
described under Section 9 of this document (e.g., false positives described under Section 11 of this document (e.g., false positives
for authentication or authorization)? for authentication or authorization)?
9. Security Considerations 11. Security Considerations
9.1. General Issues 11.1. General Issues
If input strings that appear "the same" to users are programmatically If input strings that appear "the same" to users are programmatically
considered to be distinct in different systems, or if input strings considered to be distinct in different systems, or if input strings
that appear distinct to users are programmatically considered to be that appear distinct to users are programmatically considered to be
"the same" in different systems, then users can be confused. Such "the same" in different systems, then users can be confused. Such
confusion can have security implications, such as the false positives confusion can have security implications, such as the false positives
and false negatieves discussed in [RFC6943]. One starting goal of and false negatieves discussed in [RFC6943]. One starting goal of
work on the PRECIS framework was to limit the number of times that work on the PRECIS framework was to limit the number of times that
users are confused (consistent with the "principle of least users are confused (consistent with the "Principle of Least
astonishment"). Unfortunately, this goal has been difficult to Astonishment"). Unfortunately, this goal has been difficult to
achieve given the large number of application protocols already in achieve given the large number of application protocols already in
existence, each with its own conventions regarding allowable existence, each with its own conventions regarding allowable
characters (see for example [I-D.saintandre-username-interop] with characters (see for example [I-D.saintandre-username-interop] with
regard to various username constructs). Despite these difficulties, regard to various username constructs). Despite these difficulties,
profiles should not be multiplied beyond necessity. In particular, profiles should not be multiplied beyond necessity. In particular,
application protocol designers should think long and hard before application protocol designers should think long and hard before
defining a new profile instead of using one that has already been defining a new profile instead of using one that has already been
defined, and if they decide to define a new profile then they should defined, and if they decide to define a new profile then they should
clearly explain their reasons for doing so. clearly explain their reasons for doing so.
skipping to change at page 25, line 23 skipping to change at page 28, line 5
string is connected to the wrong account or online resource based on string is connected to the wrong account or online resource based on
different interpretations of the string. different interpretations of the string.
Specifications of application protocols that use this framework are Specifications of application protocols that use this framework are
strongly encouraged to describe how internationalized strings are strongly encouraged to describe how internationalized strings are
used in the protocol, including the security implications of any used in the protocol, including the security implications of any
false positives and false negatives that might result from various false positives and false negatives that might result from various
comparison operations. For some helpful guidelines, refer to comparison operations. For some helpful guidelines, refer to
[RFC6943], [RFC5890], [UTR36], and [UTS39]. [RFC6943], [RFC5890], [UTR36], and [UTS39].
9.2. Use of the IdentifierClass 11.2. Use of the IdentifierClass
Strings that conform to the IdentifierClass and any profile thereof Strings that conform to the IdentifierClass and any profile thereof
are intended to be relatively safe for use in a broad range of are intended to be relatively safe for use in a broad range of
applications, primarily because they include only letters, digits, applications, primarily because they include only letters, digits,
and "grandfathered" non-space characters from the ASCII range; thus and "grandfathered" non-space characters from the ASCII range; thus
they exclude spaces, characters with compatibility equivalents, and they exclude spaces, characters with compatibility equivalents, and
almost all symbols and punctuation marks. However, because such almost all symbols and punctuation marks. However, because such
strings can still include so-called confusable characters (see strings can still include so-called confusable characters (see
Section 9.5), protocol designers and implementers are encouraged to Section 11.5), protocol designers and implementers are encouraged to
pay close attention to the security considerations described pay close attention to the security considerations described
elsewhere in this document. elsewhere in this document.
9.3. Use of the FreeformClass 11.3. Use of the FreeformClass
Strings that conform to the FreeformClass and many profiles thereof Strings that conform to the FreeformClass and many profiles thereof
can include virtually any Unicode character. This makes the can include virtually any Unicode character. This makes the
FreeformClass quite expressive, but also problematic from the FreeformClass quite expressive, but also problematic from the
perspective of possible user confusion. Protocol designers are perspective of possible user confusion. Protocol designers are
hereby warned that the FreeformClass contains codepoints they might hereby warned that the FreeformClass contains codepoints they might
not understand, and are encouraged to profile the IdentifierClass not understand, and are encouraged to profile the IdentifierClass
wherever feasible; however, if an application protocol requires more wherever feasible; however, if an application protocol requires more
code points than are allowed by the IdentifierClass, protocol code points than are allowed by the IdentifierClass, protocol
designers are encouraged to define a profile of the FreeformClass designers are encouraged to define a profile of the FreeformClass
that restricts the allowable code points as tightly as possible. that restricts the allowable code points as tightly as possible.
(The PRECIS Working Group considered the option of allowing (The PRECIS Working Group considered the option of allowing
superclasses as well as profiles of PRECIS string classes, but superclasses as well as profiles of PRECIS string classes, but
decided against allowing superclasses to reduce the likelihood of decided against allowing superclasses to reduce the likelihood of
security and interoperability problems.) security and interoperability problems.)
9.4. Local Character Set Issues 11.4. Local Character Set Issues
When systems use local character sets other than ASCII and Unicode, When systems use local character sets other than ASCII and Unicode,
this specification leaves the problem of converting between the local this specification leaves the problem of converting between the local
character set and Unicode up to the application or local system. If character set and Unicode up to the application or local system. If
different applications (or different versions of one application) different applications (or different versions of one application)
implement different rules for conversions among coded character sets, implement different rules for conversions among coded character sets,
they could interpret the same name differently and contact different they could interpret the same name differently and contact different
application servers or other network entities. This problem is not application servers or other network entities. This problem is not
solved by security protocols, such as Transport Layer Security (TLS) solved by security protocols, such as Transport Layer Security (TLS)
[RFC5246] and the Simple Authentication and Security Layer (SASL) [RFC5246] and the Simple Authentication and Security Layer (SASL)
[RFC4422], that do not take local character sets into account. [RFC4422], that do not take local character sets into account.
9.5. Visually Similar Characters 11.5. Visually Similar Characters
Some characters are visually similar and thus can cause confusion Some characters are visually similar and thus can cause confusion
among humans. Such characters are often called "confusable among humans. Such characters are often called "confusable
characters" or "confusables". characters" or "confusables".
The problem of confusable characters is not necessarily caused by the The problem of confusable characters is not necessarily caused by the
use of Unicode code points outside the ASCII range. For example, in use of Unicode code points outside the ASCII range. For example, in
some presentations and to some individuals the string "ju1iet" some presentations and to some individuals the string "ju1iet"
(spelled with DIGIT ONE, U+0031, as the third character) might appear (spelled with DIGIT ONE, U+0031, as the third character) might appear
to be the same as "juliet" (spelled with LATIN SMALL LETTER L, to be the same as "juliet" (spelled with LATIN SMALL LETTER L,
skipping to change at page 28, line 15 skipping to change at page 30, line 44
existence of such communities and encourages due caution when existence of such communities and encourages due caution when
presenting unfamiliar scripts or characters to human users.) presenting unfamiliar scripts or characters to human users.)
The challenges inherent in supporting the full range of Unicode code The challenges inherent in supporting the full range of Unicode code
points have in the past led some to hope for a way to points have in the past led some to hope for a way to
programmatically negotiate more restrictive ranges based on locale, programmatically negotiate more restrictive ranges based on locale,
script, or other relevant factors, to tag the locale associated with script, or other relevant factors, to tag the locale associated with
a particular string, etc. As a general-purpose internationalization a particular string, etc. As a general-purpose internationalization
technology, the PRECIS framework does not include such mechanisms. technology, the PRECIS framework does not include such mechanisms.
9.6. Security of Passwords 11.6. Security of Passwords
Two goals of passwords are to maximize the amount of entropy and to Two goals of passwords are to maximize the amount of entropy and to
minimize the potential for false positives. These goals can be minimize the potential for false positives. These goals can be
achieved in part by allowing a wide range of code points and by achieved in part by allowing a wide range of code points and by
ensuring that passwords are handled in such a way that code points ensuring that passwords are handled in such a way that code points
are not compared aggressively. Therefore, it is NOT RECOMMENDED for are not compared aggressively. Therefore, it is NOT RECOMMENDED for
application protocols to profile the FreeformClass for use in application protocols to profile the FreeformClass for use in
passwords in a way that removes entire categories (e.g., by passwords in a way that removes entire categories (e.g., by
disallowing symbols or punctuation). Furthermore, it is NOT disallowing symbols or punctuation). Furthermore, it is NOT
RECOMMENDED for application protocols to map uppercase and titlecase RECOMMENDED for application protocols to map uppercase and titlecase
skipping to change at page 29, line 8 skipping to change at page 31, line 36
is used. is used.
In protocols that provide passwords as input to a cryptographic In protocols that provide passwords as input to a cryptographic
algorithm such as a hash function, the client will need to perform algorithm such as a hash function, the client will need to perform
proper preparation of the password before applying the algorithm, proper preparation of the password before applying the algorithm,
since the password is not available to the server in plaintext form. since the password is not available to the server in plaintext form.
Further discussion of password handling can be found in Further discussion of password handling can be found in
[I-D.ietf-precis-saslprepbis]. [I-D.ietf-precis-saslprepbis].
10. Interoperability Considerations 12. Interoperability Considerations
Although strings that are consumed in PRECIS-based application Although strings that are consumed in PRECIS-based application
protocols are often encoded using UTF-8 [RFC3629], the exact encoding protocols are often encoded using UTF-8 [RFC3629], the exact encoding
is a matter for the application protocol that uses PRECIS, not for is a matter for the application protocol that uses PRECIS, not for
the PRECIS framework. the PRECIS framework.
It is known that some existing systems are unable to support the full It is known that some existing systems are unable to support the full
Unicode character set, or even any characters outside the ASCII Unicode character set, or even any characters outside the ASCII
range. If two (or more) applications need to interoperate when range. If two (or more) applications need to interoperate when
exchanging data (e.g., for the purpose of authenticating a username exchanging data (e.g., for the purpose of authenticating a username
skipping to change at page 29, line 33 skipping to change at page 32, line 14
Three Unicode code points underwent changes in their GeneralCategory Three Unicode code points underwent changes in their GeneralCategory
between Unicode 5.2 (current at the time IDNA2008 was originally between Unicode 5.2 (current at the time IDNA2008 was originally
published) and Unicode 6.0, as described in [RFC6452]. Implementers published) and Unicode 6.0, as described in [RFC6452]. Implementers
might need to be aware that the treatment of these characters differs might need to be aware that the treatment of these characters differs
depending on which version of Unicode is available on the system that depending on which version of Unicode is available on the system that
is using IDNA2008 or PRECIS, and that other such differences are is using IDNA2008 or PRECIS, and that other such differences are
possible between the version of Unicode current at the time of this possible between the version of Unicode current at the time of this
writing (7.0) and future versions. writing (7.0) and future versions.
11. References 13. References
11.1. Normative References 13.1. Normative References
[RFC20] Cerf, V., "ASCII format for network interchange", RFC 20, [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20,
October 1969. October 1969.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, March 2008. Interchange", RFC 5198, March 2008.
[Unicode7.0] [Unicode7.0]
The Unicode Consortium, "The Unicode Standard, Version The Unicode Consortium, "The Unicode Standard, Version
6.0.0", 2014, 7.0.0", 2014,
<http://www.unicode.org/versions/Unicode7.0.0/>. <http://www.unicode.org/versions/Unicode7.0.0/>.
11.2. Informative References 13.2. Informative References
[I-D.ietf-precis-mappings] [I-D.ietf-precis-mappings]
Yoneya, Y. and T. NEMOTO, "Mapping characters for PRECIS Yoneya, Y. and T. NEMOTO, "Mapping characters for PRECIS
classes", draft-ietf-precis-mappings-08 (work in classes", draft-ietf-precis-mappings-08 (work in
progress), June 2014. progress), June 2014.
[I-D.ietf-precis-nickname] [I-D.ietf-precis-nickname]
Saint-Andre, P., "Preparation and Comparison of Saint-Andre, P., "Preparation and Comparison of
Nicknames", draft-ietf-precis-nickname-09 (work in Nicknames", draft-ietf-precis-nickname-11 (work in
progress), January 2014. progress), October 2014.
[I-D.ietf-precis-saslprepbis] [I-D.ietf-precis-saslprepbis]
Saint-Andre, P. and A. Melnikov, "Username and Password Saint-Andre, P. and A. Melnikov, "Username and Password
Preparation Algorithms", draft-ietf-precis-saslprepbis-07 Preparation Algorithms", draft-ietf-precis-saslprepbis-09
(work in progress), March 2014. (work in progress), October 2014.
[I-D.ietf-xmpp-6122bis] [I-D.ietf-xmpp-6122bis]
Saint-Andre, P., "Extensible Messaging and Presence Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Address Format", draft-ietf-xmpp- Protocol (XMPP): Address Format", draft-ietf-xmpp-
6122bis-12 (work in progress), March 2014. 6122bis-15 (work in progress), October 2014.
[I-D.saintandre-username-interop] [I-D.saintandre-username-interop]
Saint-Andre, P., "An Interoperable Subset of Characters Saint-Andre, P., "An Interoperable Subset of Characters
for Internationalized Usernames", draft-saintandre- for Internationalized Usernames", draft-saintandre-
username-interop-03 (work in progress), March 2014. username-interop-03 (work in progress), March 2014.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", RFC "Remote Authentication Dial In User Service (RADIUS)", RFC
2865, June 2000. 2865, June 2000.
skipping to change at page 32, line 36 skipping to change at page 35, line 17
2014-present, <http://www.unicode.org/versions/latest/>. 2014-present, <http://www.unicode.org/versions/latest/>.
[UTR36] The Unicode Consortium, "Unicode Technical Report #36: [UTR36] The Unicode Consortium, "Unicode Technical Report #36:
Unicode Security Considerations", July 2012, Unicode Security Considerations", July 2012,
<http://unicode.org/reports/tr36/>. <http://unicode.org/reports/tr36/>.
[UTS39] The Unicode Consortium, "Unicode Technical Standard #39: [UTS39] The Unicode Consortium, "Unicode Technical Standard #39:
Unicode Security Mechanisms", July 2012, Unicode Security Mechanisms", July 2012,
<http://unicode.org/reports/tr39/>. <http://unicode.org/reports/tr39/>.
11.3. URIs 13.3. URIs
[1] http://unicode.org/Public/UNIDATA/PropertyAliases.txt [1] http://unicode.org/Public/UNIDATA/PropertyAliases.txt
[2] http://unicode.org/Public/UNIDATA/DerivedCoreProperties.txt [2] http://unicode.org/Public/UNIDATA/DerivedCoreProperties.txt
Appendix A. Acknowledgements Appendix A. Acknowledgements
The authors would like to acknowledge the comments and contributions The authors would like to acknowledge the comments and contributions
of the following individuals during working group discussion: David of the following individuals during working group discussion: David
Black, Edward Burns, Dan Chiba, Mark Davis, Alan DeKok, Martin Black, Edward Burns, Dan Chiba, Mark Davis, Alan DeKok, Martin
skipping to change at page 33, line 24 skipping to change at page 36, line 9
[RFC5890], [I-D.ietf-precis-saslprepbis], and [RFC5890], [I-D.ietf-precis-saslprepbis], and
[I-D.ietf-xmpp-6122bis]. [I-D.ietf-xmpp-6122bis].
Peter Saint-Andre wishes to acknowledge Cisco Systems, Inc., for Peter Saint-Andre wishes to acknowledge Cisco Systems, Inc., for
employing him during his work on earlier versions of this document. employing him during his work on earlier versions of this document.
Authors' Addresses Authors' Addresses
Peter Saint-Andre Peter Saint-Andre
&yet &yet
P.O. Box 787
Parker, CO 80134
USA
Email: peter@andyet.net Email: peter@andyet.com
URI: https://andyet.com/
Marc Blanchet Marc Blanchet
Viagenie Viagenie
246 Aberdeen 246 Aberdeen
Quebec, QC G1R 2E1 Quebec, QC G1R 2E1
Canada Canada
Email: Marc.Blanchet@viagenie.ca Email: Marc.Blanchet@viagenie.ca
URI: http://www.viagenie.ca/ URI: http://www.viagenie.ca/
 End of changes. 135 change blocks. 
297 lines changed or deleted 413 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/