draft-ietf-precis-7613bis-06.txt   draft-ietf-precis-7613bis-07.txt 
Network Working Group P. Saint-Andre Network Working Group P. Saint-Andre
Internet-Draft Filament Internet-Draft Filament
Obsoletes: 7613 (if approved) A. Melnikov Obsoletes: 7613 (if approved) A. Melnikov
Intended status: Standards Track Isode Ltd Intended status: Standards Track Isode Ltd
Expires: September 28, 2017 March 27, 2017 Expires: November 2, 2017 May 1, 2017
Preparation, Enforcement, and Comparison of Internationalized Strings Preparation, Enforcement, and Comparison of Internationalized Strings
Representing Usernames and Passwords Representing Usernames and Passwords
draft-ietf-precis-7613bis-06 draft-ietf-precis-7613bis-07
Abstract Abstract
This document describes updated methods for handling Unicode strings This document describes updated methods for handling Unicode strings
representing usernames and passwords. The previous approach was representing usernames and passwords. The previous approach was
known as SASLprep (RFC 4013) and was based on stringprep (RFC 3454). known as SASLprep (RFC 4013) and was based on stringprep (RFC 3454).
The methods specified in this document provide a more sustainable The methods specified in this document provide a more sustainable
approach to the handling of internationalized usernames and approach to the handling of internationalized usernames and
passwords. The preparation, enforcement, and comparison of passwords. The preparation, enforcement, and comparison of
internationalized strings (PRECIS) framework, RFC 7564, obsoletes RFC internationalized strings (PRECIS) framework, RFC 7564, obsoletes RFC
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 28, 2017. This Internet-Draft will expire on November 2, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 36 skipping to change at page 2, line 36
3.4.4. Comparison . . . . . . . . . . . . . . . . . . . . . 10 3.4.4. Comparison . . . . . . . . . . . . . . . . . . . . . 10
3.5. Application-Layer Constructs . . . . . . . . . . . . . . 10 3.5. Application-Layer Constructs . . . . . . . . . . . . . . 10
3.6. Examples . . . . . . . . . . . . . . . . . . . . . . . . 10 3.6. Examples . . . . . . . . . . . . . . . . . . . . . . . . 10
4. Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4. Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Definition . . . . . . . . . . . . . . . . . . . . . . . 12 4.1. Definition . . . . . . . . . . . . . . . . . . . . . . . 12
4.2. OpaqueString Profile . . . . . . . . . . . . . . . . . . 13 4.2. OpaqueString Profile . . . . . . . . . . . . . . . . . . 13
4.2.1. Preparation . . . . . . . . . . . . . . . . . . . . . 13 4.2.1. Preparation . . . . . . . . . . . . . . . . . . . . . 13
4.2.2. Enforcement . . . . . . . . . . . . . . . . . . . . . 14 4.2.2. Enforcement . . . . . . . . . . . . . . . . . . . . . 14
4.2.3. Comparison . . . . . . . . . . . . . . . . . . . . . 14 4.2.3. Comparison . . . . . . . . . . . . . . . . . . . . . 14
4.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 15 4.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 15
5. Use in Application Protocols . . . . . . . . . . . . . . . . 15 5. Use in Application Protocols . . . . . . . . . . . . . . . . 16
6. Migration . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6. Migration . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.1. Usernames . . . . . . . . . . . . . . . . . . . . . . . . 16 6.1. Usernames . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 18 6.2. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 18
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
7.1. UsernameCaseMapped Profile . . . . . . . . . . . . . . . 19 7.1. UsernameCaseMapped Profile . . . . . . . . . . . . . . . 19
7.2. UsernameCasePreserved Profile . . . . . . . . . . . . . . 19 7.2. UsernameCasePreserved Profile . . . . . . . . . . . . . . 19
7.3. OpaqueString Profile . . . . . . . . . . . . . . . . . . 20 7.3. OpaqueString Profile . . . . . . . . . . . . . . . . . . 20
7.4. Stringprep Profile . . . . . . . . . . . . . . . . . . . 20 7.4. Stringprep Profile . . . . . . . . . . . . . . . . . . . 21
8. Security Considerations . . . . . . . . . . . . . . . . . . . 21 8. Security Considerations . . . . . . . . . . . . . . . . . . . 21
8.1. Password/Passphrase Strength . . . . . . . . . . . . . . 21 8.1. Password/Passphrase Strength . . . . . . . . . . . . . . 21
8.2. Identifier Comparison . . . . . . . . . . . . . . . . . . 21 8.2. Identifier Comparison . . . . . . . . . . . . . . . . . . 21
8.3. Reuse of PRECIS . . . . . . . . . . . . . . . . . . . . . 21 8.3. Reuse of PRECIS . . . . . . . . . . . . . . . . . . . . . 21
8.4. Reuse of Unicode . . . . . . . . . . . . . . . . . . . . 21 8.4. Reuse of Unicode . . . . . . . . . . . . . . . . . . . . 21
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
9.1. Normative References . . . . . . . . . . . . . . . . . . 21 9.1. Normative References . . . . . . . . . . . . . . . . . . 21
9.2. Informative References . . . . . . . . . . . . . . . . . 22 9.2. Informative References . . . . . . . . . . . . . . . . . 22
Appendix A. Changes from RFC 7613 . . . . . . . . . . . . . . . 24 Appendix A. Changes from RFC 7613 . . . . . . . . . . . . . . . 24
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 24 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
Usernames and passwords are widely used for authentication and Usernames and passwords are widely used for authentication and
authorization on the Internet, either directly when provided in authorization on the Internet, either directly when provided in
plaintext (as in the PLAIN Simple Authentication and Security Layer plaintext (as in the PLAIN Simple Authentication and Security Layer
(SASL) mechanism [RFC4616] and the HTTP Basic scheme [RFC7617]) or (SASL) mechanism [RFC4616] and the HTTP Basic scheme [RFC7617]) or
indirectly when provided as the input to a cryptographic algorithm indirectly when provided as the input to a cryptographic algorithm
such as a hash function (as in the Salted Challenge Response such as a hash function (as in the Salted Challenge Response
Authentication Mechanism (SCRAM) SASL mechanism [RFC5802] and the Authentication Mechanism (SCRAM) SASL mechanism [RFC5802] and the
skipping to change at page 14, line 19 skipping to change at page 14, line 19
the rules specified below for the OpaqueString profile (these rules the rules specified below for the OpaqueString profile (these rules
MUST be applied in the order shown): MUST be applied in the order shown):
1. Width-Mapping Rule: Fullwidth and halfwidth code points MUST NOT 1. Width-Mapping Rule: Fullwidth and halfwidth code points MUST NOT
be mapped to their decomposition mappings (see Unicode Standard be mapped to their decomposition mappings (see Unicode Standard
Annex #11 [UAX11]). Annex #11 [UAX11]).
2. Additional Mapping Rule: Any instances of non-ASCII space MUST be 2. Additional Mapping Rule: Any instances of non-ASCII space MUST be
mapped to ASCII space (U+0020); a non-ASCII space is any Unicode mapped to ASCII space (U+0020); a non-ASCII space is any Unicode
code point having a Unicode general category of "Zs" (with the code point having a Unicode general category of "Zs" (with the
exception of U+0020). exception of U+0020). As was the case in RFC 4013, the inclusion
of only ASCII space prevents confusion with various non-ASCII
space code points, many of which are difficult to reproduce
across different input methods.
3. Case-Mapping Rule: There is no case mapping rule (because mapping 3. Case-Mapping Rule: There is no case mapping rule (because mapping
uppercase and titlecase code points to their lowercase uppercase and titlecase code points to their lowercase
equivalents would lead to false positives and thus to reduced equivalents would lead to false positives and thus to reduced
security). security).
4. Normalization Rule: Unicode Normalization Form C (NFC) MUST be 4. Normalization Rule: Unicode Normalization Form C (NFC) MUST be
applied to all strings. applied to all strings.
5. Directionality Rule: There is no directionality rule. The "Bidi 5. Directionality Rule: There is no directionality rule. The "Bidi
skipping to change at page 21, line 41 skipping to change at page 21, line 48
8.4. Reuse of Unicode 8.4. Reuse of Unicode
The security considerations described in [UTS39] apply to the use of The security considerations described in [UTS39] apply to the use of
Unicode code points in usernames and passwords. Unicode code points in usernames and passwords.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <http://www.rfc-editor.org/info/rfc3629>. 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/ Specifications: ABNF", STD 68, RFC 5234,
RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>. <http://www.rfc-editor.org/info/rfc5234>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, August 2010. RFC 5890, DOI 10.17487/RFC5890, August 2010,
<http://www.rfc-editor.org/info/rfc5890>.
[RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in
Internationalization in the IETF", BCP 166, RFC 6365, DOI Internationalization in the IETF", BCP 166, RFC 6365,
10.17487/RFC6365, September 2011, DOI 10.17487/RFC6365, September 2011,
<http://www.rfc-editor.org/info/rfc6365>. <http://www.rfc-editor.org/info/rfc6365>.
[RFC7564] Saint-Andre, P. and M. Blanchet, "PRECIS Framework: [RFC7564] Saint-Andre, P. and M. Blanchet, "PRECIS Framework:
Preparation, Enforcement, and Comparison of Preparation, Enforcement, and Comparison of
Internationalized Strings in Application Protocols", RFC Internationalized Strings in Application Protocols",
7564, DOI 10.17487/RFC7564, May 2015, RFC 7564, DOI 10.17487/RFC7564, May 2015,
<http://www.rfc-editor.org/info/rfc7564>. <http://www.rfc-editor.org/info/rfc7564>.
[UAX11] Unicode Standard Annex #11, "East Asian Width", edited by [UAX11] Unicode Standard Annex #11, "East Asian Width", edited by
Ken Lunde. An integral part of The Unicode Standard, Ken Lunde. An integral part of The Unicode Standard,
<http://unicode.org/reports/tr11/>. <http://unicode.org/reports/tr11/>.
[Unicode] The Unicode Consortium, "The Unicode Standard", [Unicode] The Unicode Consortium, "The Unicode Standard",
<http://www.unicode.org/versions/latest/>. <http://www.unicode.org/versions/latest/>.
9.2. Informative References 9.2. Informative References
[Err1812] RFC Errata, "Erratum ID 1812", RFC 4013, [Err1812] RFC Errata, "Erratum ID 1812", RFC 4013,
<http://www.rfc-editor.org>. <http://www.rfc-editor.org>.
[RFC20] Cerf, V., "ASCII format for network interchange", STD 80, [RFC20] Cerf, V., "ASCII format for network interchange", STD 80,
RFC 20, DOI 10.17487/RFC0020, October 1969, RFC 20, DOI 10.17487/RFC0020, October 1969,
<http://www.rfc-editor.org/info/rfc20>. <http://www.rfc-editor.org/info/rfc20>.
[RFC3454] Hoffman, P. and M. Blanchet, "Preparation of [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")", RFC 3454, DOI Internationalized Strings ("stringprep")", RFC 3454,
10.17487/RFC3454, December 2002, DOI 10.17487/RFC3454, December 2002,
<http://www.rfc-editor.org/info/rfc3454>. <http://www.rfc-editor.org/info/rfc3454>.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003, 4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003,
<http://www.rfc-editor.org/info/rfc3501>. <http://www.rfc-editor.org/info/rfc3501>.
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names
and Passwords", RFC 4013, DOI 10.17487/RFC4013, February and Passwords", RFC 4013, DOI 10.17487/RFC4013, February
2005, <http://www.rfc-editor.org/info/rfc4013>. 2005, <http://www.rfc-editor.org/info/rfc4013>.
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
Authentication and Security Layer (SASL)", RFC 4422, DOI Authentication and Security Layer (SASL)", RFC 4422,
10.17487/RFC4422, June 2006, DOI 10.17487/RFC4422, June 2006,
<http://www.rfc-editor.org/info/rfc4422>. <http://www.rfc-editor.org/info/rfc4422>.
[RFC4616] Zeilenga, K., Ed., "The PLAIN Simple Authentication and [RFC4616] Zeilenga, K., Ed., "The PLAIN Simple Authentication and
Security Layer (SASL) Mechanism", RFC 4616, DOI 10.17487/ Security Layer (SASL) Mechanism", RFC 4616,
RFC4616, August 2006, DOI 10.17487/RFC4616, August 2006,
<http://www.rfc-editor.org/info/rfc4616>. <http://www.rfc-editor.org/info/rfc4616>.
[RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams,
"Salted Challenge Response Authentication Mechanism "Salted Challenge Response Authentication Mechanism
(SCRAM) SASL and GSS-API Mechanisms", RFC 5802, DOI (SCRAM) SASL and GSS-API Mechanisms", RFC 5802,
10.17487/RFC5802, July 2010, DOI 10.17487/RFC5802, July 2010,
<http://www.rfc-editor.org/info/rfc5802>. <http://www.rfc-editor.org/info/rfc5802>.
[RFC5893] Alvestrand, H., Ed. and C. Karp, "Right-to-Left Scripts [RFC5893] Alvestrand, H., Ed. and C. Karp, "Right-to-Left Scripts
for Internationalized Domain Names for Applications for Internationalized Domain Names for Applications
(IDNA)", RFC 5893, DOI 10.17487/RFC5893, August 2010, (IDNA)", RFC 5893, DOI 10.17487/RFC5893, August 2010,
<http://www.rfc-editor.org/info/rfc5893>. <http://www.rfc-editor.org/info/rfc5893>.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, March 2011. Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120,
March 2011, <http://www.rfc-editor.org/info/rfc6120>.
[RFC6943] Thaler, D., Ed., "Issues in Identifier Comparison for [RFC6943] Thaler, D., Ed., "Issues in Identifier Comparison for
Security Purposes", RFC 6943, DOI 10.17487/RFC6943, May Security Purposes", RFC 6943, DOI 10.17487/RFC6943, May
2013, <http://www.rfc-editor.org/info/rfc6943>. 2013, <http://www.rfc-editor.org/info/rfc6943>.
[RFC7542] DeKok, A., "The Network Access Identifier", RFC 7542, DOI [RFC7542] DeKok, A., "The Network Access Identifier", RFC 7542,
10.17487/RFC7542, May 2015, DOI 10.17487/RFC7542, May 2015,
<http://www.rfc-editor.org/info/rfc7542>. <http://www.rfc-editor.org/info/rfc7542>.
[RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation, [RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation,
Enforcement, and Comparison of Internationalized Strings Enforcement, and Comparison of Internationalized Strings
Representing Usernames and Passwords", RFC 7613, DOI Representing Usernames and Passwords", RFC 7613,
10.17487/RFC7613, August 2015, DOI 10.17487/RFC7613, August 2015,
<http://www.rfc-editor.org/info/rfc7613>. <http://www.rfc-editor.org/info/rfc7613>.
[RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP [RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP
Digest Access Authentication", RFC 7616, DOI 10.17487/ Digest Access Authentication", RFC 7616,
RFC7616, September 2015, DOI 10.17487/RFC7616, September 2015,
<http://www.rfc-editor.org/info/rfc7616>. <http://www.rfc-editor.org/info/rfc7616>.
[RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", RFC [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme",
7617, DOI 10.17487/RFC7617, September 2015, RFC 7617, DOI 10.17487/RFC7617, September 2015,
<http://www.rfc-editor.org/info/rfc7617>. <http://www.rfc-editor.org/info/rfc7617>.
[RFC7622] Saint-Andre, P., "Extensible Messaging and Presence [RFC7622] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Address Format", RFC 7622, DOI 10.17487/ Protocol (XMPP): Address Format", RFC 7622,
RFC7622, September 2015, DOI 10.17487/RFC7622, September 2015,
<http://www.rfc-editor.org/info/rfc7622>. <http://www.rfc-editor.org/info/rfc7622>.
[UTS39] Unicode Technical Standard #39, "Unicode Security [UTS39] Unicode Technical Standard #39, "Unicode Security
Mechanisms", edited by Mark Davis and Michel Suignard, Mechanisms", edited by Mark Davis and Michel Suignard,
<http://unicode.org/reports/tr39/>. <http://unicode.org/reports/tr39/>.
Appendix A. Changes from RFC 7613 Appendix A. Changes from RFC 7613
The following changes were made from [RFC7613]. The following changes were made from [RFC7613].
skipping to change at page 24, line 43 skipping to change at page 25, line 9
Thanks to Christian Schudt and Sam Whited for their bug reports and Thanks to Christian Schudt and Sam Whited for their bug reports and
feedback. feedback.
See [RFC7613] for acknowledgements related to the specification that See [RFC7613] for acknowledgements related to the specification that
this document supersedes. this document supersedes.
Authors' Addresses Authors' Addresses
Peter Saint-Andre Peter Saint-Andre
Filament Filament
P.O. Box 787
Parker, CO 80134
USA
Phone: +1 720 256 6756
Email: peter@filament.com Email: peter@filament.com
URI: https://filament.com/ URI: https://filament.com/
Alexey Melnikov Alexey Melnikov
Isode Ltd Isode Ltd
5 Castle Business Village 5 Castle Business Village
36 Station Road 36 Station Road
Hampton, Middlesex TW12 2BX Hampton, Middlesex TW12 2BX
United Kingdom United Kingdom
Email: Alexey.Melnikov@isode.com Email: Alexey.Melnikov@isode.com
 End of changes. 25 change blocks. 
34 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/