One document matched: draft-ietf-precis-problem-statement-06.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
]>
<rfc category="info" ipr="trust200902" docName="draft-ietf-precis-problem-statement-06.txt">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="no" ?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<front>
<title abbrev="Stringprep Revision Problem Statement">Stringprep Revision and PRECIS Problem Statement</title>
<author initials="M." surname="Blanchet" fullname="Marc Blanchet">
<organization>Viagenie</organization>
<address>
<postal>
<street>246 Aberdeen</street>
<city>Quebec</city>
<region>QC</region>
<code>G1R 2E1</code>
<country>Canada</country>
</postal>
<email>Marc.Blanchet@viagenie.ca</email>
<uri>http://viagenie.ca</uri>
</address>
</author>
<author initials="A." surname="Sullivan" fullname="Andrew Sullivan">
<organization>Dyn, Inc.</organization>
<address>
<postal>
<street>150 Dow St</street>
<city>Manchester</city>
<region>NH</region>
<code>03101</code>
<country>U.S.A.</country>
</postal>
<email>asullivan@dyn.com</email>
</address>
</author>
<date year="2012"/>
<abstract>
<t>
If a protocol expects to compare two strings and is prepared
only for those strings to be ASCII, then using Unicode
codepoints in those string requires they be prepared somehow.
Internationalizing Domain Names in Applications (here called
IDNA2003) defined and used Stringprep and Nameprep. Other
protocols subsequently defined Stringprep profiles. A new
approach different from Stringprep and Nameprep is used for a
revision of IDNA2003 (called IDNA2008). Other Stringprep
profiles need to be similarly updated or a replacement of
Stringprep needs to be designed. This document outlines the
issues to be faced by those designing a Stringprep
replacement.
</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="intro">
<t>
Internationalizing Domain Names in Applications (here called
IDNA2003) <xref target="RFC3490"/>, <xref target="RFC3491" />,
<xref target="RFC3492" />, <xref target="RFC3454" /> describes
a mechanism for encoding Unicode labels making up
Internationalized Domain Names (IDNs) as standard DNS labels.
The labels were processed using a method called Nameprep <xref
target="RFC3491"/> and Punycode <xref target="RFC3492"/>.
That method was specific to IDNA2003, but is generalized as
Stringprep <xref target="RFC3454"/>. The general mechanism is
used by other protocols with similar needs, but with different
constraints than IDNA2003.
</t>
<t>Stringprep defines a framework within which protocols define their
Stringprep profiles. Known IETF specifications using Stringprep are
listed below:
<list style="symbols">
<t>The Nameprep profile <xref target="RFC3490"/> for use in
Internationalized Domain Names (IDNs);</t>
<t>NFSv4 <xref target="RFC3530" /> and NFSv4.1 <xref
target="RFC5661" />;</t>
<t>The iSCSI profile <xref target="RFC3722"/> for use in
Internet Small Computer Systems Interface (iSCSI) Names;</t>
<t>EAP <xref target="RFC3748" />;</t>
<t>The Nodeprep and Resourceprep profiles <xref
target="RFC3920"/> for use in the Extensible Messaging and
Presence Protocol (XMPP), and the XMPP to CPIM mapping <xref
target="RFC3922" /> (the latter of these relies on the former);</t>
<t>The Policy MIB profile <xref target="RFC4011"/> for use in
the Simple Network Management Protocol (SNMP);</t>
<t>The SASLprep profile <xref target="RFC4013"/> for use in
the Simple Authentication and Security Layer (SASL), and SASL
itself <xref target="RFC4422" />;</t>
<t>TLS <xref target="RFC4279" />;</t>
<t>IMAP4 using SASLprep <xref target="RFC4314" />;</t>
<t>The trace profile <xref target="RFC4505"/> for use with the
SASL ANONYMOUS mechanism;</t>
<t> The LDAP profile <xref target="RFC4518"/> for use with
LDAP <xref target="RFC4511" /> and its authentication methods
<xref target="RFC4513" />;</t>
<t>Plain SASL using SASLprep <xref target="RFC4616" />;</t>
<t>NNTP using SASLprep <xref target="RFC4643" />;</t>
<t>PKIX subject identification using LDAPprep <xref
target="RFC4683" />;</t>
<t>Internet Application Protocol Collation Registry <xref
target="RFC4790" />;</t>
<t>SMTP Auth using SASLprep <xref target="RFC4954" />;</t>
<t>POP3 Auth using SASLprep <xref target="RFC5034" />;</t>
<t>TLS SRP using SASLprep <xref target="RFC5054" />;</t>
<t>IRI and URI in XMPP <xref target="RFC5122" />;</t>
<t>PKIX CRL using LDAPprep <xref target="RFC5280" />;</t>
<t>IAX using Nameprep <xref target="RFC5456" />;</t>
<t>SASL SCRAM using SASLprep <xref target="RFC5802" />;</t>
<t>Remote management of Sieve using SASLprep <xref target="RFC5804" />;</t>
<t>The unicode-casemap Unicode Collation <xref target="RFC5051" />.</t>
</list>
</t>
<t>However, a review (see <xref target="ietf78precis" />) of
these protocol specifications found that they are very similar
and can be grouped into a short number of classes. Moreover,
many reuse the same Stringprep profile, such as the SASL
one.</t>
<t>IDNA2003 was replaced because of some limitations described
in <xref target="RFC4690" />. The new IDN specification, called
IDNA2008 <xref target="RFC5890" />, <xref target="RFC5891" />,
<xref target="RFC5892" />, <xref target="RFC5893" /> was
designed based on the considerations found in <xref
target="RFC5894" />. One of the effects of IDNA2008 is that
Nameprep and Stringprep are not used at all. Instead, an
algorithm based on Unicode properties of codepoints is
defined. That algorithm generates a stable and complete table of
the supported Unicode codepoints for each Unicode version. This
algorithm is based on an inclusion-based approach, instead of
the exclusion-based approach of Stringprep/Nameprep. That is,
IDNA2003 created an explicit list of excluded or mapped-away
characters; anything in Unicode 3.2 that was not so listed could
be assumed to be allowed under the protocol. IDNA2008 begins
instead from the assumption that code points are disallowed, and
then relies on Unicode properties to derive whether a given code
point actually is allowed in the protocol.
</t>
<t>This document lists the shortcomings and issues found by
protocols listed above that defined Stringprep profiles. It also
lists the requirements for any potential replacement of
Stringprep.</t>
</section>
<section title="Conventions">
<t>A single Unicode code point in this memo is denoted by "U+"
followed by four to six hexadecimal digits. Compare to <xref
target="Unicode61" />, Appendix A.</t>
</section>
<section title="Stringprep Profiles Limitations">
<t>During IETF 77, a BOF discussed the current state of the
protocols that have defined Stringprep profiles <xref
target="NEWPREP" />. The main conclusions from that discussion
were as follows:
<list style="symbols">
<t>Stringprep is bound to version 3.2 of Unicode. Stringprep
has not been updated to new versions of Unicode. Therefore,
the protocols using Stringprep are stuck to Unicode 3.2.</t>
<t>The protocols need to be updated to support new versions of
Unicode. The protocols would like to not be bound to a specific
version of Unicode, but rather have better Unicode agility in
the way of IDNA2008. This is important partly because it is
usually impossible for an application to require Unicode 3.2;
the application gets whatever version of Unicode is available on
the host.</t>
<t>The protocols require better bidirectional support (bidi) than
currently offered by Stringprep. </t>
<t>If the protocols are updated to use a new version of
Stringprep or another framework, then backward compatibility
is an important requirement. For example, Stringprep is
based on and profiles may use NFKC <xref target="UAX15" />, while
IDNA2008 mostly uses NFC <xref target="UAX15" />.</t>
<t>Identifiers are passed between protocols. For example, the
same username string of codepoints may be passed between SASL,
XMPP, LDAP and EAP. Therefore, common set of rules or classes
of strings are preferred over specific rules for each
protocol. Without real planning in advance, many stringprep
profiles reuse other profiles, so this goal was accomplished
by accident with Stringprep.</t>
</list>
</t>
<t>Protocols that use Stringprep profiles use strings for
different purposes:
<list style="symbols">
<t>XMPP uses a different Stringprep profile for each part of the
XMPP address (JID): a localpart which is similar to a username and
used for authentication, a domainpart which is a domain name and a
resource part which is less restrictive than the localpart.</t>
<t>iSCSI uses a Stringprep profile for the IQN, which is
very similar to (often is) a DNS domain name. </t>
<t>SASL and LDAP uses a Stringprep profile for usernames.</t>
<t>LDAP uses a set of Stringprep profiles.</t>
</list>
</t>
<t>The apparent judgement of the BOF attendees <xref
target="NEWPREP" /> was that it would be highly desirable to
have a replacement of Stringprep, with similar characteristics
to IDNA2008. That replacement should be defined so that the
protocols could use internationalized strings without a lot of
specialized internationalization work, since
internationalization expertise is not available in the
respective protocols or working groups. Accordingly, the IESG
formed the PRECIS working group to undertake the task.</t>
<t>Notwithstanding the desire evident in <xref target="NEWPREP"
/> and the chartering of a working group, IDNA2008 may be a poor
model for what other protocols ought to do, because it is
designed to support an old protocol that is designed to operate
on the scale of the entire Internet. Moreover, IDNA2008 is
intended to be deployed without any change to the base DNS
protocol. Other protocols may aim at deployment in more local
environments, or may have protocol version negotiation built
in.</t>
</section>
<section title="Major Topics for Consideration" anchor="topics">
<t>This section provides an overview of major topics that a
Stringprep replacement needs to address. The headings
correspond roughly with categories under which known
Stringprep-using protocol RFCs have been evaluated. For the
details of those evaluations, see <xref target="knowncases" />.</t>
<section title="Comparison">
<section title="Types of Identifiers" anchor="buckets">
<t>Following <xref target="I-D.iab-identifier-comparison"
/>, it is possible to organize identifiers into three
classes in respect of how they may be compared with one
another:</t>
<t>
<list style="hanging">
<t hangText="Absolute Identifiers">Identifiers that can be compared
byte-by-byte for equality.</t>
<t hangText="Definite Identifiers">Identifiers that have a
well-defined comparison algorithm on which all parties
agree.</t>
<t hangText="Indefinite Identifiers">Identifiers that have
no single comparison algorithm on which all parties agree.</t>
</list>
</t>
<t>Definite Identifiers include cases like the comparison of
Unicode code points in different encodings: they do not match
byte for byte, but can all be converted to a single encoding
which then does match byte for byte. Indefinite Identifiers are
sometimes algorithmically comparable by well-specified subsets
of parties. For more discussion of these categories, see <xref
target="I-D.iab-identifier-comparison" />.
</t>
<t>The section on treating the existing known cases, <xref
target="knowncases" /> uses the categories above.</t>
</section>
<section title="Effect of comparison">
<t>The three classes of comparison style outlined in <xref
target="buckets" /> may have different effects when applied.
It is necessary to evaluate the effects if a comparison
results in a false positive, and what the effects are if a
comparison results in a false negative, especially in terms
of the consequences to security and usability.</t>
</section>
</section>
<section title="Dealing with characters">
<t>This section outlines a range of issues having to do with
characters in the target protocols, and outlines the ways in
which IDNA2008 might be a good analogy to other protocols, and
ways in which it might be a poor one.</t>
<section title="Case folding, case sensitivity, and case
preservation" anchor="case">
<t>In IDNA2003, labels are always mapped to lower case before
the Punycode transformation. In IDNA2008, there is no mapping
at all: input is either a valid U-label or it is not. At the
same time, upper-case characters are by definition not valid
U-labels, because they fall into the Unstable category
(category B) of <xref target="RFC5892" />.</t>
<t>If there are protocols that require upper and lower cases be
preserved, then the analogy with IDNA2008 will break down.
Accordingly, existing protocols are to be evaluated according
to the following criteria:</t>
<t><list style="numbers">
<t>Does the protocol use case folding? For all blocks of
code points, or just for certain subsets?</t>
<t>Is the system or protocol case sensitive?</t>
<t>Does the system or protocol preserve case?</t>
</list></t>
</section>
<section title="Stringprep and NFKC">
<t>Stringprep profiles may use normalization. If they do,
they use NFKC <xref target="UAX15" /> (most profiles do).
It is not clear that NFKC is the right normalization to use
in all cases. In <xref target="UAX15" />, there is the
following observation regarding Normalization Forms KC and
KD: "It is best to think of these Normalization Forms as
being like uppercase or lowercase mappings: useful in
certain contexts for identifying core meanings, but also
performing modifications to the text that may not always be
appropriate." In general, it can be said that NFKC is more
aggressive about finding matches between codepoints than
NFC. For things like the spelling of users' names, then,
NFKC may not be the best form to use. At the same time, one
of the nice things about NFKC is that it deals with the
width of characters that are otherwise similar, by
canonicalizing half-width to full-width. This mapping step
can be crucial in practice. A replacement for stringprep
depends on analyzing the different use profiles and
considering whether NFKC or NFC is a better normalization
for each profile.</t>
<t>For the purposes of evaluating an existing example of
Stringprep use, it is helpful to know whether it uses no
normalization, NFKC, or NFC.</t>
</section>
<section title="Character mapping" anchor="mapping">
<t>Along with the case mapping issues raised in <xref
target="case" />, there is the question of whether some
characters are mapped either to other characters or to nothing
during Stringprep. <xref target="RFC3454" />, Section 3,
outlines a number of characters that are mapped to nothing,
and also permits Stringprep profiles to define their own
mappings.</t>
</section>
<section title="Prohibited characters" anchor="prohibited">
<t>Along with case folding and other character mappings, many
protocols have characters that are simply disallowed. For
example, control characters and special characters such as "@"
or "/" may be prohibited in a protocol.</t>
<t>One of the primary changes of IDNA2008 is in the way it
approaches Unicode code points, using the new
inclusion-based approach (see <xref target="intro" />).</t>
<t>Because of the default assumption in IDNA2008 that a code
point is not allowed by the protocol, it has more than one
class of "allowed by the protocol"; this is unlike IDNA2003.
While some code points are disallowed outright, some are
allowed only in certain contexts. The reasons for the
context-dependent rules have to do with the way some
characters are used. For instance, the ZERO WIDTH JOINER
and ZERO WIDTH NON-JOINER (ZWJ, U+200D and ZWNJ, U+200C) are
allowed with contextual rules because they are required in
some circumstances, yet are considered punctuation by
Unicode and would therefore be DISALLOWED under the usual
IDNA2008 derivation rules. The goal of IDNA2008 is to
provide the widest repertoire of code points possible and
consistent with the traditional DNS "LDH" (letters, digits,
hyphen; see <xref target="RFC0952" />) rule, trusting to
the operators of individual zones to make sensible (and
usually more restrictive) policies for their zones.</t>
</section>
<section title="Internal structure, delimiters, and special characters">
<t>IDNA2008 has a special problem with delimiters, because
the delimiter "character" in the DNS wire format is not
really part of the data. In DNS, labels are not separated
exactly; instead, a label carries with it an indicator that
says how long the label is. When the label is presented in
presentation format as part of a fully qualified domain
name, the label separator FULL STOP, U+002E (.) is used to
break up the labels. But because that label separator does
not travel with the wire format of the domain name, there is
no way to encode a different, "internationalized" separator
in IDNA2008.</t>
<t>Other protocols may include characters with similar special
meaning within the protocol. Common characters for these
purposes include FULL STOP, U+002E (.); COMMERCIAL AT, U+0040
(@); HYPHEN-MINUS, U+002D (-); SOLIDUS, U+002F (/); and LOW
LINE, U+005F (_). The mere inclusion of such a character in
the protocol is not enough for it to be considered similar to
another protocol using the same character; instead, handling
of the character must be taken into consideration as well.</t>
<t>An important issue to tackle here is whether it is
valuable to map to or from these special characters as part
of the Stringprep replacement. In some locales, the
analogue to FULL STOP, U+002E is some other character, and
users may expect to be able to substitute their normal stop
for FULL STOP, U+002E. At the same time, there are
predictability arguments in favour of treating identifiers with
FULL STOP, U+002E in them just the way they are treated
under IDNA2008.</t>
</section>
<section title="Restrictions because of glyph similarity" anchor="homoglyphs">
<t>Homoglyphs are similarly (or identically) rendered glyphs
of different codepoints. For DNS names, homoglyphs may
enable phishing. If a protocol requires some visual
comparison by end-users, then the issue of homoglyphs are to
be considered. In the DNS context, theses issues are
documented in <xref target="RFC5894"/> and <xref
target="RFC4690"/>. IDNA2008 does not, however, have a
mechanism to deal with them, trusting to DNS zone operators
to enact sensible policies for the subset of Unicode they
wish to support, given their user community. A similar
policy/protocol split may not be desirable in every
protocol.
</t>
</section>
</section>
<section title="Where the data comes from and where it goes">
<section title="User input and the source of protocol elements">
<t>Some protocol elements are provided by users, and others
are not. Those that are not may presumably be subject to
greater restrictions, whereas those that users provide likely
need to permit the broadest range of code points. The
following questions are helpful:</t>
<t><list style="numbers">
<t>Do users input the strings directly?</t>
<t>If so, how? (keyboard, stylus, voice, copy-paste, etc.)</t>
<t>Where do we place the dividing line between user
interface and protocol? (see <xref target="RFC5895" />)</t>
</list></t>
</section>
<section title="User output">
<t>Just as only some protocol elements are expected to be
entered directly by users, only some protocol elements are
intended to be consumed directly by users. It is important
to know how users are expected to be able to consume the
protocol elements, because different environments present
different challenges. An element that is only ever
delivered as part of a vCard remains in machine-readable
format, so the problem of visual confusion is not a great
one. Is the protocol element published as part of a vCard,
a web directory, on a business card, or on "the side of a
bus"? Do users use the protocol element as an identifier
(which means that they might enter it again in some other
context)? (See also <xref target="homoglyphs" />.)</t>
</section>
<section title="Operations">
<t>Some strings are useful as part of the protocol but are
not used as input to other operations (for instance, purely
informative or descriptive text). Other strings are used
directly as input to other operations (such as cryptographic
hash functions), or are used together with other strings to
(such as concatenating a string with some others to form a
unique identifier).</t>
<section title="String classes">
<t>Strings often have a similar function in different
protocols. For instance, many different protocols contain
user identifiers or passwords. A single profile for all
such uses might be desirable.</t>
<t>Often, a string in a protocol is effectively a protocol
element from another protocol. For instance, different
systems might use the same credentials database for
authentication.</t>
</section>
<section title="Community Considerations">
<t>A Stringprep replacement that does anything more than
just update Stringprep to the latest version of Unicode
will probably entail some changes. It is important to
identify the willingness of the protocol-using community
to accept backwards-incompatible changes. By the same
token, it is important to evaluate the desire of the
community for features not available under Stringprep.</t>
</section>
<section title="Unicode Incompatible Changes">
<t>IDNA2008 uses an algorithm to derive the validity of a
Unicode code point for use under IDNA2008. It does this
by using the properties of each code point to test its
validity.</t>
<t>This approach depends crucially on the idea that code
points, once valid for a protocol profile, will not later
be made invalid. That is not a guarantee currently
provided by Unicode. Properties of code points may change
between versions of Unicode. Rarely, such a change could
cause a given code point to become invalid under a
protocol profile, even though the code point would be
valid with an earlier version of Unicode. This is not
merely a theoretical possibility, because it has occurred
(<xref target="RFC6452"/>).</t>
<t>Accordingly, as in IDNA2008, a Stringprep replacement
that intends to be Unicode version agnostic will need to
work out a mechanism to address cases where incompatible
changes occur because of new Unicode versions.</t>
</section>
</section>
</section>
</section>
<section title="Considerations for Stringprep replacement">
<t>The above suggests the following guidance for replacing Stringprep:
<list style="symbols">
<t>A stringprep replacement should be defined.</t>
<t>The replacement should take an approach similar to IDNA2008,
(e.g. by using codepoint properties instead of codepoint whitelisting) in that it enables better Unicode agility.</t>
<t>Protocols share similar characteristics of
strings. Therefore, defining internationalization preparation algorithms for
the smallest set of string classes may be sufficient for most
cases, providing coherence among a set of related protocols or
protocols where identifiers are exchanged.</t>
<t>The sets of string classes need to be evaluated according
to the considerations that make up the headings in <xref
target="topics" /></t>
<t>It is reasonable to limit scope to Unicode code points, and
rule the mapping of data from other character encodings
outside the scope of this effort.</t>
<t>The replacement ought at least to provide guidance to
applications using the replacement on how to handle protocol
incompatibilities resulting from changes to Unicode. In an
ideal world, the stringprep replacement would handle the
changes automatically, but it appears that such automatic
handling would require magic and cannot be expected.</t>
<t>Compatibility within each protocol between a technique that
is stringprep-based and the technique's replacement has to be
considered very carefully.</t>
</list>
</t>
<t>Existing deployments already depend on Stringprep profiles.
Therefore, a replacement must consider the effects of any new
strategy on existing deployments. By way of comparison, it is
worth noting that some characters were acceptable in IDNA labels
under IDNA2003, but are not protocol-valid under IDNA2008 (and
conversely); disagreement about what to do during the transition
has resulted in different approaches to mapping. Different
implementers may make different decisions about what to do in
such cases; this could have interoperability effects. It is
necessary to trade better support for different linguistic
environments against the potential side effects of backward
incompatibility.</t>
</section>
<section title="Security Considerations">
<t>This document merely states what problems are to be solved,
and does not define a protocol. There are undoubtedly security
implications of the particular results that will come from the
work to be completed.</t>
</section>
<section title="IANA Considerations">
<t>
This document has no actions for IANA.
</t>
</section>
<section title="Discussion home for this draft">
<t>
Note: RFC-Editor, please remove this section before
publication.
</t>
<t>
This document is intended to define the problem space
discussed on the precis@ietf.org mailing list.
</t>
</section>
<section title="Acknowledgements">
<t>This document is the product of the PRECIS IETF Working
Group, and participants in that Working Group were helpful in
addressing issues with the text.</t>
<t>Specific contributions came from David Black, Alan DeKok, Simon Josefsson,
Bill McQuillan, Alexey Melnikov, Peter Saint-Andre, Dave Thaler,
and Yoshiro Yoneya.</t>
<t>Dave Thaler provided the "buckets" insight in <xref
target="buckets" />, central to the organization of the
problem.</t>
<t>Evaluations of Stringprep profiles that are included
in Appendix B were done by: David Black, Alexey Melnikov,
Peter Saint-Andre, Dave Thaler.</t>
</section>
</middle>
<back>
<references title="Informative References">
<reference anchor='I-D.iab-identifier-comparison'>
<front>
<title>Issues in Identifier Comparison for Security Purposes</title>
<author initials='D' surname='Thaler' fullname='Dave Thaler'>
<organization />
</author>
<date month='July' day='2' year='2011' />
<abstract><t>Identifiers such as hostnames, URIs/IRIs, and email addresses are often used in security contexts to identify security principals and resources. In such contexts, an identifier supplied via some protocol is often compared against some policy to make security decisions such as whether the principal may access the resource, what level of authentication or encryption is required, etc. If the parties involved in a security decision use different algorithms to compare identifiers, then failure scenarios ranging from denial of service to elevation of privilege can result.</t></abstract>
</front>
<seriesInfo name='Internet-Draft' value='draft-iab-identifier-comparison-00' />
<format type='TXT'
target='http://www.ietf.org/internet-drafts/draft-iab-identifier-comparison-00.txt' />
</reference>
<reference anchor='NEWPREP'>
<front>
<title>Newprep BoF Meeting Minutes</title>
<author fullname='Association Management Solutions, ed.'>
<organization /></author>
<date year='2010' month='March' />
</front>
<format type='TXT' octets='1807' target='http://www.ietf.org/proceedings/77/minutes/newprep.txt' />
</reference>
<reference anchor='RFC3454'>
<front>
<title>Preparation of Internationalized Strings ("stringprep")</title>
<author initials='P.' surname='Hoffman' fullname='P. Hoffman'>
<organization /></author>
<author initials='M.' surname='Blanchet' fullname='M. Blanchet'>
<organization /></author>
<date year='2002' month='December' />
<abstract>
<t>This document describes a framework for preparing Unicode text strings in order to increase the likelihood that string input and string comparison work in ways that make sense for typical users throughout the world. The stringprep protocol is useful for protocol identifier values, company and personal names, internationalized domain names, and other text strings. This document does not specify how protocols should prepare text strings. Protocols must create profiles of stringprep in order to fully specify the processing options. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3454' />
<format type='TXT' octets='138684' target='http://www.rfc-editor.org/rfc/rfc3454.txt' />
</reference>
<reference anchor='RFC3490'>
<front>
<title>Internationalizing Domain Names in Applications (IDNA)</title>
<author initials='P.' surname='Faltstrom' fullname='P. Faltstrom'>
<organization /></author>
<author initials='P.' surname='Hoffman' fullname='P. Hoffman'>
<organization /></author>
<author initials='A.' surname='Costello' fullname='A. Costello'>
<organization /></author>
<date year='2003' month='March' />
<abstract>
<t>Until now, there has been no standard method for domain names to use characters outside the ASCII repertoire. This document defines internationalized domain names (IDNs) and a mechanism called Internationalizing Domain Names in Applications (IDNA) for handling them in a standard fashion. IDNs use characters drawn from a large repertoire (Unicode), but IDNA allows the non-ASCII characters to be represented using only the ASCII characters already allowed in so-called host names today. This backward-compatible representation is required in existing protocols like DNS, so that IDNs can be introduced with no changes to the existing infrastructure. IDNA is only meant for processing domain names, not free text. [STANDARDS-TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3490' />
<format type='TXT' octets='51943' target='http://www.rfc-editor.org/rfc/rfc3490.txt' />
</reference>
<reference anchor='RFC3491'>
<front>
<title>Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)</title>
<author initials='P.' surname='Hoffman' fullname='P. Hoffman'>
<organization /></author>
<author initials='M.' surname='Blanchet' fullname='M. Blanchet'>
<organization /></author>
<date year='2003' month='March' />
<abstract>
<t>This document describes how to prepare internationalized domain name (IDN) labels in order to increase the likelihood that name input and name comparison work in ways that make sense for typical users throughout the world. This profile of the stringprep protocol is used as part of a suite of on-the-wire protocols for internationalizing the Domain Name System (DNS). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3491' />
<format type='TXT' octets='10316' target='http://www.rfc-editor.org/rfc/rfc3491.txt' />
</reference>
<reference anchor='RFC3492'>
<front>
<title>Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)</title>
<author initials='A.' surname='Costello' fullname='A. Costello'>
<organization /></author>
<date year='2003' month='March' />
<abstract>
<t>Punycode is a simple and efficient transfer encoding syntax designed for use with Internationalized Domain Names in Applications (IDNA). It uniquely and reversibly transforms a Unicode string into an ASCII string. ASCII characters in the Unicode string are represented literally, and non-ASCII characters are represented by ASCII characters that are allowed in host name labels (letters, digits, and hyphens). This document defines a general algorithm called Bootstring that allows a string of basic code points to uniquely represent any string of code points drawn from a larger set. Punycode is an instance of Bootstring that uses particular parameter values specified by this document, appropriate for IDNA. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3492' />
<format type='TXT' octets='67439' target='http://www.rfc-editor.org/rfc/rfc3492.txt' />
</reference>
<reference anchor='RFC3530'>
<front>
<title>Network File System (NFS) version 4 Protocol</title>
<author initials='S.' surname='Shepler' fullname='S. Shepler'>
<organization /></author>
<author initials='B.' surname='Callaghan' fullname='B. Callaghan'>
<organization /></author>
<author initials='D.' surname='Robinson' fullname='D. Robinson'>
<organization /></author>
<author initials='R.' surname='Thurlow' fullname='R. Thurlow'>
<organization /></author>
<author initials='C.' surname='Beame' fullname='C. Beame'>
<organization /></author>
<author initials='M.' surname='Eisler' fullname='M. Eisler'>
<organization /></author>
<author initials='D.' surname='Noveck' fullname='D. Noveck'>
<organization /></author>
<date year='2003' month='April' />
<abstract>
<t>The Network File System (NFS) version 4 is a distributed filesystem protocol which owes heritage to NFS protocol version 2, RFC 1094, and version 3, RFC 1813. Unlike earlier versions, the NFS version 4 protocol supports traditional file access while integrating support for file locking and the mount protocol. In addition, support for strong security (and its negotiation), compound operations, client caching, and internationalization have been added. Of course, attention has been applied to making NFS version 4 operate well in an Internet environment. This document replaces RFC 3010 as the definition of the NFS version 4 protocol. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3530' />
<format type='TXT' octets='600988' target='http://www.rfc-editor.org/rfc/rfc3530.txt' />
</reference>
<reference anchor='RFC3722'>
<front>
<title>String Profile for Internet Small Computer Systems Interface (iSCSI) Names</title>
<author initials='M.' surname='Bakke' fullname='M. Bakke'>
<organization /></author>
<date year='2004' month='April' />
<abstract>
<t>This document describes how to prepare internationalized iSCSI names to increase the likelihood that name input and comparison work in ways that make sense for typical users throughout the world. The Internet Small Computer Systems Interface (iSCSI) protocol provides a way for hosts to access SCSI devices over an IP network. The iSCSI end-points, called initiators and targets, each have a globally-unique name that must be transcribable, as well as easily compared. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3722' />
<format type='TXT' octets='14702' target='http://www.rfc-editor.org/rfc/rfc3722.txt' />
</reference>
<reference anchor='RFC3748'>
<front>
<title>Extensible Authentication Protocol (EAP)</title>
<author initials='B.' surname='Aboba' fullname='B. Aboba'>
<organization /></author>
<author initials='L.' surname='Blunk' fullname='L. Blunk'>
<organization /></author>
<author initials='J.' surname='Vollbrecht' fullname='J. Vollbrecht'>
<organization /></author>
<author initials='J.' surname='Carlson' fullname='J. Carlson'>
<organization /></author>
<author initials='H.' surname='Levkowetz' fullname='H. Levkowetz'>
<organization /></author>
<date year='2004' month='June' />
<abstract>
<t>This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this. This document obsoletes RFC 2284. A summary of the changes between this document and RFC 2284 is available in Appendix A. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='3748' />
<format type='TXT' octets='157994' target='http://www.rfc-editor.org/rfc/rfc3748.txt' />
</reference>
<reference anchor='RFC3920'>
<front>
<title abbrev='XMPP Core'>Extensible Messaging and Presence Protocol (XMPP): Core</title>
<author initials='P.' surname='Saint-Andre' fullname='Peter Saint-Andre' role='editor'>
<organization>Jabber Software Foundation</organization>
<address>
<email>stpeter@jabber.org</email></address></author>
<date year='2004' month='October' />
<area>Applications</area>
<workgroup>XMPP Working Group</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>XMPP</keyword>
<keyword>Extensible Messaging and Presence Protocol</keyword>
<keyword>Jabber</keyword>
<keyword>IM</keyword>
<keyword>Instant Messaging</keyword>
<keyword>Presence</keyword>
<keyword>XML</keyword>
<keyword>Extensible Markup Language</keyword>
<abstract>
<t>This memo defines the core features of the Extensible Messaging and Presence Protocol (XMPP), a protocol for streaming Extensible Markup Language (XML) elements in order to exchange structured information in close to real time between any two network endpoints. While XMPP provides a generalized, extensible framework for exchanging XML data, it is used mainly for the purpose of building instant messaging and presence applications that meet the requirements of RFC 2779.</t></abstract></front>
<seriesInfo name='RFC' value='3920' />
<format type='TXT' octets='194313' target='http://www.rfc-editor.org/rfc/rfc3920.txt' />
<format type='HTML' octets='279912' target='http://xml.resource.org/public/rfc/html/rfc3920.html' />
<format type='XML' octets='234610' target='http://xml.resource.org/public/rfc/xml/rfc3920.xml' />
</reference>
<reference anchor='RFC3922'>
<front>
<title abbrev='XMPP to CPIM'>Mapping the Extensible Messaging and Presence Protocol (XMPP) to Common Presence and Instant Messaging (CPIM)</title>
<author initials='P.' surname='Saint-Andre' fullname='Peter Saint-Andre'>
<organization>Jabber Software Foundation</organization>
<address>
<email>stpeter@jabber.org</email></address></author>
<date year='2004' month='October' />
<area>Applications</area>
<workgroup>XMPP Working Group</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>XMPP</keyword>
<keyword>Extensible Messaging and Presence Protocol</keyword>
<keyword>Jabber</keyword>
<keyword>IM</keyword>
<keyword>Instant Messaging</keyword>
<keyword>Presence</keyword>
<keyword>CPIM</keyword>
<keyword>Common Presence and Instant Messaging</keyword>
<keyword>XML</keyword>
<keyword>Extensible Markup Language</keyword>
<abstract>
<t>This memo describes a mapping between the Extensible Messaging and Presence Protocol (XMPP) and the Common Presence and Instant Messaging (CPIM) specifications.</t></abstract></front>
<seriesInfo name='RFC' value='3922' />
<format type='TXT' octets='70790' target='http://www.rfc-editor.org/rfc/rfc3922.txt' />
<format type='HTML' octets='111801' target='http://xml.resource.org/public/rfc/html/rfc3922.html' />
<format type='XML' octets='89156' target='http://xml.resource.org/public/rfc/xml/rfc3922.xml' />
</reference>
<reference anchor='RFC4011'>
<front>
<title>Policy Based Management MIB</title>
<author initials='S.' surname='Waldbusser' fullname='S. Waldbusser'>
<organization /></author>
<author initials='J.' surname='Saperia' fullname='J. Saperia'>
<organization /></author>
<author initials='T.' surname='Hongal' fullname='T. Hongal'>
<organization /></author>
<date year='2005' month='March' />
<abstract>
<t>This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, this MIB defines objects that enable policy-based monitoring and management of Simple Network Management Protocol (SNMP) infrastructures, a scripting language, and a script execution environment. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4011' />
<format type='TXT' octets='265942' target='http://www.rfc-editor.org/rfc/rfc4011.txt' />
</reference>
<reference anchor='RFC4013'>
<front>
<title>SASLprep: Stringprep Profile for User Names and Passwords</title>
<author initials='K.' surname='Zeilenga' fullname='K. Zeilenga'>
<organization /></author>
<date year='2005' month='February' />
<abstract>
<t>This document describes how to prepare Unicode strings representing user names and passwords for comparison. The document defines the "SASLprep" profile of the "stringprep" algorithm to be used for both user names and passwords. This profile is intended to be used by Simple Authentication and Security Layer (SASL) mechanisms (such as PLAIN, CRAM-MD5, and DIGEST-MD5), as well as other protocols exchanging simple user names and/or passwords. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4013' />
<format type='TXT' octets='13051' target='http://www.rfc-editor.org/rfc/rfc4013.txt' />
</reference>
<reference anchor='RFC4279'>
<front>
<title>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)</title>
<author initials='P.' surname='Eronen' fullname='P. Eronen'>
<organization /></author>
<author initials='H.' surname='Tschofenig' fullname='H. Tschofenig'>
<organization /></author>
<date year='2005' month='December' />
<abstract>
<t>This document specifies three sets of new ciphersuites for the Transport Layer Security (TLS) protocol to support authentication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys, shared in advance among the communicating parties. The first set of ciphersuites uses only symmetric key operations for authentication. The second set uses a Diffie-Hellman exchange authenticated with a pre-shared key, and the third set combines public key authentication of the server with pre-shared key authentication of the client. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4279' />
<format type='TXT' octets='32160' target='http://www.rfc-editor.org/rfc/rfc4279.txt' />
</reference>
<reference anchor='RFC4314'>
<front>
<title>IMAP4 Access Control List (ACL) Extension</title>
<author initials='A.' surname='Melnikov' fullname='A. Melnikov'>
<organization /></author>
<date year='2005' month='December' />
<abstract>
<t>The Access Control List (ACL) extension (RFC 2086) of the Internet Message Access Protocol (IMAP) permits mailbox access control lists to be retrieved and manipulated through the IMAP protocol.</t><t> This document is a revision of RFC 2086. It defines several new access control rights and clarifies which rights are required for different IMAP commands. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4314' />
<format type='TXT' octets='56599' target='http://www.rfc-editor.org/rfc/rfc4314.txt' />
</reference>
<reference anchor='RFC4422'>
<front>
<title>Simple Authentication and Security Layer (SASL)</title>
<author initials='A.' surname='Melnikov' fullname='A. Melnikov'>
<organization /></author>
<author initials='K.' surname='Zeilenga' fullname='K. Zeilenga'>
<organization /></author>
<date year='2006' month='June' />
<abstract>
<t>The Simple Authentication and Security Layer (SASL) is a framework for providing authentication and data security services in connection-oriented protocols via replaceable mechanisms. It provides a structured interface between protocols and mechanisms. The resulting framework allows new protocols to reuse existing mechanisms and allows old protocols to make use of new mechanisms. The framework also provides a protocol for securing subsequent protocol exchanges within a data security layer.</t><t> This document describes how a SASL mechanism is structured, describes how protocols include support for SASL, and defines the protocol for carrying a data security layer over a connection. In addition, this document defines one SASL mechanism, the EXTERNAL mechanism.</t><t> This document obsoletes RFC 2222. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4422' />
<format type='TXT' octets='73206' target='http://www.rfc-editor.org/rfc/rfc4422.txt' />
</reference>
<reference anchor='RFC4505'>
<front>
<title>Anonymous Simple Authentication and Security Layer (SASL) Mechanism</title>
<author initials='K.' surname='Zeilenga' fullname='K. Zeilenga'>
<organization /></author>
<date year='2006' month='June' />
<abstract>
<t>On the Internet, it is common practice to permit anonymous access to various services. Traditionally, this has been done with a plain-text password mechanism using "anonymous" as the user name and using optional trace information, such as an email address, as the password. As plain-text login commands are not permitted in new IETF protocols, a new way to provide anonymous login is needed within the context of the Simple Authentication and Security Layer (SASL) framework. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4505' />
<format type='TXT' octets='16599' target='http://www.rfc-editor.org/rfc/rfc4505.txt' />
</reference>
<reference anchor='RFC4511'>
<front>
<title>Lightweight Directory Access Protocol (LDAP): The Protocol</title>
<author initials='J.' surname='Sermersheim' fullname='J. Sermersheim'>
<organization /></author>
<date year='2006' month='June' />
<abstract>
<t>This document describes the protocol elements, along with their semantics and encodings, of the Lightweight Directory Access Protocol (LDAP). LDAP provides access to distributed directory services that act in accordance with X.500 data and service models. These protocol elements are based on those described in the X.500 Directory Access Protocol (DAP). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4511' />
<format type='TXT' octets='150116' target='http://www.rfc-editor.org/rfc/rfc4511.txt' />
</reference>
<reference anchor='RFC4513'>
<front>
<title>Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms</title>
<author initials='R.' surname='Harrison' fullname='R. Harrison'>
<organization /></author>
<date year='2006' month='June' />
<abstract>
<t>This document describes authentication methods and security mechanisms of the Lightweight Directory Access Protocol (LDAP). This document details establishment of Transport Layer Security (TLS) using the StartTLS operation.</t><t> This document details the simple Bind authentication method including anonymous, unauthenticated, and name/password mechanisms and the Simple Authentication and Security Layer (SASL) Bind authentication method including the EXTERNAL mechanism.</t><t> This document discusses various authentication and authorization states through which a session to an LDAP server may pass and the actions that trigger these state changes.</t><t> This document, together with other documents in the LDAP Technical Specification (see Section 1 of the specification's road map), obsoletes RFC 2251, RFC 2829, and RFC 2830. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4513' />
<format type='TXT' octets='80546' target='http://www.rfc-editor.org/rfc/rfc4513.txt' />
</reference>
<reference anchor='RFC4518'>
<front>
<title>Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation</title>
<author initials='K.' surname='Zeilenga' fullname='K. Zeilenga'>
<organization /></author>
<date year='2006' month='June' />
<abstract>
<t>The previous Lightweight Directory Access Protocol (LDAP) technical specifications did not precisely define how character string matching is to be performed. This led to a number of usability and interoperability problems. This document defines string preparation algorithms for character-based matching rules defined for use in LDAP. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4518' />
<format type='TXT' octets='28166' target='http://www.rfc-editor.org/rfc/rfc4518.txt' />
</reference>
<reference anchor='RFC4616'>
<front>
<title>The PLAIN Simple Authentication and Security Layer (SASL) Mechanism</title>
<author initials='K.' surname='Zeilenga' fullname='K. Zeilenga'>
<organization /></author>
<date year='2006' month='August' />
<abstract>
<t>This document defines a simple clear-text user/password Simple Authentication and Security Layer (SASL) mechanism called the PLAIN mechanism. The PLAIN mechanism is intended to be used, in combination with data confidentiality services provided by a lower layer, in protocols that lack a simple password authentication command. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4616' />
<format type='TXT' octets='20270' target='http://www.rfc-editor.org/rfc/rfc4616.txt' />
</reference>
<reference anchor='RFC4643'>
<front>
<title>Network News Transfer Protocol (NNTP) Extension for Authentication</title>
<author initials='J.' surname='Vinocur' fullname='J. Vinocur'>
<organization /></author>
<author initials='K.' surname='Murchison' fullname='K. Murchison'>
<organization /></author>
<date year='2006' month='October' />
<abstract>
<t>This document defines an extension to the Network News Transfer Protocol (NNTP) that allows a client to indicate an authentication mechanism to the server, to perform an authentication protocol exchange, and optionally to negotiate a security layer for subsequent protocol interactions during the remainder of an NNTP session.</t><t> This document updates and formalizes the AUTHINFO USER/PASS authentication method specified in RFC 2980 and deprecates the AUTHINFO SIMPLE and AUTHINFO GENERIC authentication methods. Additionally, this document defines a profile of the Simple Authentication and Security Layer (SASL) for NNTP. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4643' />
<format type='TXT' octets='51411' target='http://www.rfc-editor.org/rfc/rfc4643.txt' />
</reference>
<reference anchor='RFC4683'>
<front>
<title>Internet X.509 Public Key Infrastructure Subject Identification Method (SIM)</title>
<author initials='J.' surname='Park' fullname='J. Park'>
<organization /></author>
<author initials='J.' surname='Lee' fullname='J. Lee'>
<organization /></author>
<author initials='H..' surname='Lee' fullname='H.. Lee'>
<organization /></author>
<author initials='S.' surname='Park' fullname='S. Park'>
<organization /></author>
<author initials='T.' surname='Polk' fullname='T. Polk'>
<organization /></author>
<date year='2006' month='October' />
<abstract>
<t>This document defines the Subject Identification Method (SIM) for including a privacy-sensitive identifier in the subjectAltName extension of a certificate.</t><t> The SIM is an optional feature that may be used by relying parties to determine whether the subject of a particular certificate is also the person corresponding to a particular sensitive identifier. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4683' />
<format type='TXT' octets='41285' target='http://www.rfc-editor.org/rfc/rfc4683.txt' />
</reference>
<reference anchor='RFC4690'>
<front>
<title>Review and Recommendations for Internationalized Domain Names (IDNs)</title>
<author initials='J.' surname='Klensin' fullname='J. Klensin'>
<organization /></author>
<author initials='P.' surname='Faltstrom' fullname='P. Faltstrom'>
<organization /></author>
<author initials='C.' surname='Karp' fullname='C. Karp'>
<organization /></author>
<author>
<organization>IAB</organization></author>
<date year='2006' month='September' />
<abstract>
<t>This note describes issues raised by the deployment and use of Internationalized Domain Names. It describes problems both at the time of registration and for use of those names in the DNS. It recommends that IETF should update the RFCs relating to IDNs and a framework to be followed in doing so, as well as summarizing and identifying some work that is required outside the IETF. In particular, it proposes that some changes be investigated for the Internationalizing Domain Names in Applications (IDNA) standard and its supporting tables, based on experience gained since those standards were completed. This memo provides information for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='4690' />
<format type='TXT' octets='100929' target='http://www.rfc-editor.org/rfc/rfc4690.txt' />
</reference>
<reference anchor='RFC4790'>
<front>
<title>Internet Application Protocol Collation Registry</title>
<author initials='C.' surname='Newman' fullname='C. Newman'>
<organization /></author>
<author initials='M.' surname='Duerst' fullname='M. Duerst'>
<organization /></author>
<author initials='A.' surname='Gulbrandsen' fullname='A. Gulbrandsen'>
<organization /></author>
<date year='2007' month='March' />
<abstract>
<t>Many Internet application protocols include string-based lookup, searching, or sorting operations. However, the problem space for searching and sorting international strings is large, not fully explored, and is outside the area of expertise for the Internet Engineering Task Force (IETF). Rather than attempt to solve such a large problem, this specification creates an abstraction framework so that application protocols can precisely identify a comparison function, and the repertoire of comparison functions can be extended in the future. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4790' />
<format type='TXT' octets='55591' target='http://www.rfc-editor.org/rfc/rfc4790.txt' />
</reference>
<reference anchor='RFC4954'>
<front>
<title>SMTP Service Extension for Authentication</title>
<author initials='R.' surname='Siemborski' fullname='R. Siemborski'>
<organization /></author>
<author initials='A.' surname='Melnikov' fullname='A. Melnikov'>
<organization /></author>
<date year='2007' month='July' />
<abstract>
<t>This document defines a Simple Mail Transport Protocol (SMTP) extension whereby an SMTP client may indicate an authentication mechanism to the server, perform an authentication protocol exchange, and optionally negotiate a security layer for subsequent protocol interactions during this session. This extension includes a profile of the Simple Authentication and Security Layer (SASL) for SMTP.</t><t> This document obsoletes RFC 2554. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='4954' />
<format type='TXT' octets='43493' target='http://www.rfc-editor.org/rfc/rfc4954.txt' />
</reference>
<reference anchor='RFC5034'>
<front>
<title>The Post Office Protocol (POP3) Simple Authentication and Security Layer (SASL) Authentication Mechanism</title>
<author initials='R.' surname='Siemborski' fullname='R. Siemborski'>
<organization /></author>
<author initials='A.' surname='Menon-Sen' fullname='A. Menon-Sen'>
<organization /></author>
<date year='2007' month='July' />
<abstract>
<t>This document defines a profile of the Simple Authentication and Security Layer (SASL) for the Post Office Protocol (POP3). This extension allows a POP3 client to indicate an authentication mechanism to the server, perform an authentication protocol exchange, and optionally negotiate a security layer for subsequent protocol interactions during this session.</t><t> This document seeks to consolidate the information related to POP3 AUTH into a single document. To this end, this document obsoletes and replaces RFC 1734, and updates the information contained in Section 6.3 of RFC 2449. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5034' />
<format type='TXT' octets='24170' target='http://www.rfc-editor.org/rfc/rfc5034.txt' />
</reference>
<reference anchor='RFC5051'>
<front>
<title>i;unicode-casemap - Simple Unicode Collation Algorithm</title>
<author initials='M.' surname='Crispin' fullname='M. Crispin'>
<organization /></author>
<date year='2007' month='October' />
<abstract>
<t>This document describes "i;unicode-casemap", a simple case-insensitive collation for Unicode strings. It provides equality, substring, and ordering operations. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5051' />
<format type='TXT' octets='14965' target='http://www.rfc-editor.org/rfc/rfc5051.txt' />
</reference>
<reference anchor='RFC5054'>
<front>
<title>Using the Secure Remote Password (SRP) Protocol for TLS Authentication</title>
<author initials='D.' surname='Taylor' fullname='D. Taylor'>
<organization /></author>
<author initials='T.' surname='Wu' fullname='T. Wu'>
<organization /></author>
<author initials='N.' surname='Mavrogiannopoulos' fullname='N. Mavrogiannopoulos'>
<organization /></author>
<author initials='T.' surname='Perrin' fullname='T. Perrin'>
<organization /></author>
<date year='2007' month='November' />
<abstract>
<t>This memo presents a technique for using the Secure Remote Password protocol as an authentication method for the Transport Layer Security protocol. This memo provides information for the Internet community.</t></abstract></front>
<seriesInfo name='RFC' value='5054' />
<format type='TXT' octets='44445' target='http://www.rfc-editor.org/rfc/rfc5054.txt' />
</reference>
<reference anchor='RFC5122'>
<front>
<title>Internationalized Resource Identifiers (IRIs) and Uniform Resource Identifiers (URIs) for the Extensible Messaging and Presence Protocol (XMPP)</title>
<author initials='P.' surname='Saint-Andre' fullname='P. Saint-Andre'>
<organization /></author>
<date year='2008' month='February' />
<abstract>
<t>This document defines the use of Internationalized Resource Identifiers (IRIs) and Uniform Resource Identifiers (URIs) in identifying or interacting with entities that can communicate via the Extensible Messaging and Presence Protocol (XMPP). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5122' />
<format type='TXT' octets='55566' target='http://www.rfc-editor.org/rfc/rfc5122.txt' />
</reference>
<reference anchor='RFC5280'>
<front>
<title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
<author initials='D.' surname='Cooper' fullname='D. Cooper'>
<organization /></author>
<author initials='S.' surname='Santesson' fullname='S. Santesson'>
<organization /></author>
<author initials='S.' surname='Farrell' fullname='S. Farrell'>
<organization /></author>
<author initials='S.' surname='Boeyen' fullname='S. Boeyen'>
<organization /></author>
<author initials='R.' surname='Housley' fullname='R. Housley'>
<organization /></author>
<author initials='W.' surname='Polk' fullname='W. Polk'>
<organization /></author>
<date year='2008' month='May' />
<abstract>
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5280' />
<format type='TXT' octets='352580' target='http://www.rfc-editor.org/rfc/rfc5280.txt' />
</reference>
<reference anchor='RFC5456'>
<front>
<title>IAX: Inter-Asterisk eXchange Version 2</title>
<author initials='M.' surname='Spencer' fullname='M. Spencer'>
<organization /></author>
<author initials='B.' surname='Capouch' fullname='B. Capouch'>
<organization /></author>
<author initials='E.' surname='Guy' fullname='E. Guy'>
<organization /></author>
<author initials='F.' surname='Miller' fullname='F. Miller'>
<organization /></author>
<author initials='K.' surname='Shumard' fullname='K. Shumard'>
<organization /></author>
<date year='2010' month='February' />
<abstract>
<t>This document describes IAX, the Inter-Asterisk eXchange protocol, an application-layer control and media protocol for creating, modifying, and terminating multimedia sessions over Internet Protocol (IP) networks. IAX was developed by the open source community for the Asterisk Private Branch Exchange (PBX) and is targeted primarily at Voice over Internet Protocol (VoIP) call control, but it can be used with streaming video or any other type of multimedia.</t><t> IAX is an "all in one" protocol for handling multimedia in IP networks. It combines both control and media services in the same protocol. In addition, IAX uses a single UDP data stream on a static port greatly simplifying Network Address Translation (NAT) gateway traversal, eliminating the need for other protocols to work around NAT, and simplifying network and firewall management. IAX employs a compact encoding that decreases bandwidth usage and is well suited for Internet telephony service. In addition, its open nature permits new payload type additions needed to support additional services. This document is not an Internet Standards Track specification; it is published for informational purposes.</t></abstract></front>
<seriesInfo name='RFC' value='5456' />
<format type='TXT' octets='226083' target='http://www.rfc-editor.org/rfc/rfc5456.txt' />
</reference>
<reference anchor='RFC5661'>
<front>
<title>Network File System (NFS) Version 4 Minor Version 1 Protocol</title>
<author initials='S.' surname='Shepler' fullname='S. Shepler'>
<organization /></author>
<author initials='M.' surname='Eisler' fullname='M. Eisler'>
<organization /></author>
<author initials='D.' surname='Noveck' fullname='D. Noveck'>
<organization /></author>
<date year='2010' month='January' />
<abstract>
<t>This document describes the Network File System (NFS) version 4 minor version 1, including features retained from the base protocol (NFS version 4 minor version 0, which is specified in RFC 3530) and protocol extensions made subsequently. Major extensions introduced in NFS version 4 minor version 1 include Sessions, Directory Delegations, and parallel NFS (pNFS). NFS version 4 minor version 1 has no dependencies on NFS version 4 minor version 0, and it is considered a separate protocol. Thus, this document neither updates nor obsoletes RFC 3530. NFS minor version 1 is deemed superior to NFS minor version 0 with no loss of functionality, and its use is preferred over version 0. Both NFS minor versions 0 and 1 can be used simultaneously on the same network, between the same client and server. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5661' />
<format type='TXT' octets='1517771' target='http://www.rfc-editor.org/rfc/rfc5661.txt' />
</reference>
<reference anchor='RFC5802'>
<front>
<title>Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms</title>
<author initials='C.' surname='Newman' fullname='C. Newman'>
<organization /></author>
<author initials='A.' surname='Menon-Sen' fullname='A. Menon-Sen'>
<organization /></author>
<author initials='A.' surname='Melnikov' fullname='A. Melnikov'>
<organization /></author>
<author initials='N.' surname='Williams' fullname='N. Williams'>
<organization /></author>
<date year='2010' month='July' />
<abstract>
<t>The secure authentication mechanism most widely deployed and used by Internet application protocols is the transmission of clear-text passwords over a channel protected by Transport Layer Security (TLS). There are some significant security concerns with that mechanism, which could be addressed by the use of a challenge response authentication mechanism protected by TLS. Unfortunately, the challenge response mechanisms presently on the standards track all fail to meet requirements necessary for widespread deployment, and have had success only in limited use.</t><t> This specification describes a family of Simple Authentication and Security Layer (SASL; RFC 4422) authentication mechanisms called the Salted Challenge Response Authentication Mechanism (SCRAM), which addresses the security concerns and meets the deployability requirements. When used in combination with TLS or an equivalent security layer, a mechanism from this family could improve the status quo for application protocol authentication and provide a suitable choice for a mandatory-to-implement mechanism for future application protocol standards. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5802' />
<format type='TXT' octets='59049' target='http://www.rfc-editor.org/rfc/rfc5802.txt' />
</reference>
<reference anchor='RFC5804'>
<front>
<title>A Protocol for Remotely Managing Sieve Scripts</title>
<author initials='A.' surname='Melnikov' fullname='A. Melnikov'>
<organization /></author>
<author initials='T.' surname='Martin' fullname='T. Martin'>
<organization /></author>
<date year='2010' month='July' />
<abstract>
<t>Sieve scripts allow users to filter incoming email. Message stores are commonly sealed servers so users cannot log into them, yet users must be able to update their scripts on them. This document describes a protocol "ManageSieve" for securely managing Sieve scripts on a remote server. This protocol allows a user to have multiple scripts, and also alerts a user to syntactically flawed scripts. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5804' />
<format type='TXT' octets='103194' target='http://www.rfc-editor.org/rfc/rfc5804.txt' />
</reference>
<reference anchor='RFC5890'>
<front>
<title>Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework</title>
<author initials='J.' surname='Klensin' fullname='J. Klensin'>
<organization /></author>
<date year='2010' month='August' />
<abstract>
<t>This document is one of a collection that, together, describe the protocol and usage context for a revision of Internationalized Domain Names for Applications (IDNA), superseding the earlier version. It describes the document collection and provides definitions and other material that are common to the set. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5890' />
<format type='TXT' octets='54245' target='http://www.rfc-editor.org/rfc/rfc5890.txt' />
</reference>
<reference anchor='RFC5891'>
<front>
<title>Internationalized Domain Names in Applications (IDNA): Protocol</title>
<author initials='J.' surname='Klensin' fullname='J. Klensin'>
<organization /></author>
<date year='2010' month='August' />
<abstract>
<t>This document is the revised protocol definition for Internationalized Domain Names (IDNs). The rationale for changes, the relationship to the older specification, and important terminology are provided in other documents. This document specifies the protocol mechanism, called Internationalized Domain Names in Applications (IDNA), for registering and looking up IDNs in a way that does not require changes to the DNS itself. IDNA is only meant for processing domain names, not free text. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5891' />
<format type='TXT' octets='38105' target='http://www.rfc-editor.org/rfc/rfc5891.txt' />
</reference>
<reference anchor='RFC5892'>
<front>
<title>The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)</title>
<author initials='P.' surname='Faltstrom' fullname='P. Faltstrom'>
<organization /></author>
<date year='2010' month='August' />
<abstract>
<t>This document specifies rules for deciding whether a code point, considered in isolation or in context, is a candidate for inclusion in an Internationalized Domain Name (IDN).</t><t> It is part of the specification of Internationalizing Domain Names in Applications 2008 (IDNA2008). [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5892' />
<format type='TXT' octets='187370' target='http://www.rfc-editor.org/rfc/rfc5892.txt' />
</reference>
<reference anchor='RFC5893'>
<front>
<title>Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)</title>
<author initials='H.' surname='Alvestrand' fullname='H. Alvestrand'>
<organization /></author>
<author initials='C.' surname='Karp' fullname='C. Karp'>
<organization /></author>
<date year='2010' month='August' />
<abstract>
<t>The use of right-to-left scripts in Internationalized Domain Names (IDNs) has presented several challenges. This memo provides a new Bidi rule for Internationalized Domain Names for Applications (IDNA) labels, based on the encountered problems with some scripts and some shortcomings in the 2003 IDNA Bidi criterion. [STANDARDS TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='5893' />
<format type='TXT' octets='38870' target='http://www.rfc-editor.org/rfc/rfc5893.txt' />
</reference>
<reference anchor='RFC5894'>
<front>
<title>Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale</title>
<author initials='J.' surname='Klensin' fullname='J. Klensin'>
<organization /></author>
<date year='2010' month='August' />
<abstract>
<t>Several years have passed since the original protocol for Internationalized Domain Names (IDNs) was completed and deployed. During that time, a number of issues have arisen, including the need to update the system to deal with newer versions of Unicode. Some of these issues require tuning of the existing protocols and the tables on which they depend. This document provides an overview of a revised system and provides explanatory material for its components. This document is not an Internet Standards Track specification; it is published for informational purposes.</t></abstract></front>
<seriesInfo name='RFC' value='5894' />
<format type='TXT' octets='115174' target='http://www.rfc-editor.org/rfc/rfc5894.txt' />
</reference>
<reference anchor='RFC5895'>
<front>
<title>Mapping Characters for Internationalized Domain Names in Applications (IDNA) 2008</title>
<author initials='P.' surname='Resnick' fullname='P. Resnick'>
<organization /></author>
<author initials='P.' surname='Hoffman' fullname='P. Hoffman'>
<organization /></author>
<date year='2010' month='September' />
<abstract>
<t>In the original version of the Internationalized Domain Names in Applications (IDNA) protocol, any Unicode code points taken from user input were mapped into a set of Unicode code points that "made sense", and then encoded and passed to the domain name system (DNS). The IDNA2008 protocol (described in RFCs 5890, 5891, 5892, and 5893) presumes that the input to the protocol comes from a set of "permitted" code points, which it then encodes and passes to the DNS, but does not specify what to do with the result of user input. This document describes the actions that can be taken by an implementation between receiving user input and passing permitted code points to the new IDNA protocol. This document is not an Internet Standards Track specification; it is published for informational purposes.</t></abstract></front>
<seriesInfo name='RFC' value='5895' />
<format type='TXT' octets='16556' target='http://www.rfc-editor.org/rfc/rfc5895.txt' />
</reference>
<reference anchor='RFC6452'>
<front>
<title>The Unicode Code Points and Internationalized Domain Names for Applications (IDNA) - Unicode 6.0</title>
<author initials='P.' surname='Faltstrom' fullname='P. Faltstrom'>
<organization /></author>
<author initials='P.' surname='Hoffman' fullname='P. Hoffman'>
<organization /></author>
<date year='2011' month='November' />
<abstract>
<t>This memo documents IETF consensus for Internationalized Domain Names for Applications (IDNA) derived character properties related to the three code points, existing in Unicode 5.2, that changed property values when version 6.0 was released. The consensus is that no update is needed to RFC 5892 based on the changes made in Unicode 6.0. [STANDARDS-TRACK]</t></abstract></front>
<seriesInfo name='RFC' value='6452' />
<format type='TXT' octets='6817' target='http://www.rfc-editor.org/rfc/rfc6452.txt' />
</reference>
<reference anchor='UAX15'>
<front>
<title>Unicode Standard Annex #15: Unicode Normalization Forms</title>
<author fullname='The Unicode Consortium'>
<organization /></author>
<date year='2009' month='September' />
</front>
<seriesInfo name='UAX' value='15' />
<format type='HTML' target='http://www.unicode.org/reports/tr15/tr15-31.html' />
</reference>
<!-- formatted after RFC 5890 -->
<reference anchor='Unicode61' target='http://www.unicode.org/versions/Unicode6.1.0/'>
<front>
<title abbrev='Unicode61'>The Unicode Standard -- Version 6.1</title>
<author>
<organization>The Unicode Consortium. The Unicode Standard,
Version 6.1, defined by:</organization>
<address />
</author>
<date year='2009' month='September' />
</front>
<seriesInfo name='(Mountain View, CA: The Unicode Consortium, 2012.' value='ISBN 978-1-936213-02-3)' />
</reference>
<!-- This reference format needs help. RFC Editor? -->
<reference anchor="ietf78precis"
target="http://www.ietf.org/proceedings/78/slides/precis-2.pdf">
<front>
<title abbrev="IETF78PRECIS">PRECIS Framework</title>
<author initials="M" surname="Blanchet" fullname="Marc Blanchet">
<organization />
<address />
</author>
<date year="2010" month="July" />
</front>
<seriesInfo name="Proceedings of the Seventy-Eighth Internet
Engineering Task Force"
value="https://www.ietf.org/proceedings/78/" />
</reference>
<reference anchor='RFC0952'>
<front>
<title>DoD Internet host table specification</title>
<author initials='K.' surname='Harrenstien' fullname='K. Harrenstien'>
<organization>SRI International</organization></author>
<author initials='M.' surname='Stahl' fullname='M. Stahl'>
<organization>SRI International</organization></author>
<author initials='E.' surname='Feinler' fullname='E. Feinler'>
<organization>SRI International</organization></author>
<date year='1985' day='1' month='October' /></front>
<seriesInfo name='RFC' value='952' />
<format type='TXT' octets='12388' target='ftp://ftp.isi.edu/in-notes/rfc952.txt' />
</reference>
</references>
<section title="Classification of Stringprep Profiles"
anchor="knowncases">
<t>A number of the known cases of Stringprep use were evaluated
during the preparation of this document. The known cases are
here described in two ways. The types of identifiers the
protocol uses is first called out in the ID type column (from
<xref target="buckets" />), using the short forms "a" for
Absolute, "d" for Definite, and "i" for Indefinite. Next, there
is a column that contains an "i" if the protocol string comes
from user input, an "o" if the protocol string becomes
user-facing output, "b" if both are true, and "n" if neither is
true.</t>
<texttable anchor="knowncases_table">
<ttcol align="center">RFC</ttcol>
<ttcol align="center">IDtype</ttcol>
<ttcol align="center">User?</ttcol>
<!-- RFC IDt adi Usr iobn -->
<c>3722</c> <c>a</c> <c>o</c>
<c>3748</c> <c>-</c> <c>-</c>
<c>3920</c> <c>a,d</c> <c>b</c>
<c>4505</c> <c>a</c> <c>i</c>
<c>4314</c> <c>a,d</c> <c>b</c>
<c>4954</c> <c>a,d</c> <c>b</c>
<c>5034</c> <c>a,d</c> <c>b</c>
<c>5804</c> <c>a,d</c> <c>b</c>
</texttable>
</section>
<section title="Evaluation of Stringprep Profiles" anchor="det_discuss">
<t>This section is a summary of evaluation of Stringprep profiles that was done to get a good understanding of the usage of Stringprep. This summary is by no means normative nor the actual evaluations themselves. A template was used for reviewers to get a coherent view of all evaluations.</t>
<section title="iSCSI Stringprep Profiles: RFC3722, RFC3721, RFC3720">
<t><list style="hanging">
<t hangText="Description:"> An iSCSI session consists of an Initiator (i.e., host or server that uses storage) communicating with a target (i.e., a storage array or other system that provides storage). Both the iSCSI initiator and target are named by iSCSI Names. The iSCSI stringprep profile is used for iSCSI names.</t>
<t hangText="How it is used">iSCSI initiators and targets (see above). They can also be used to identify SCSI ports (these are software entities in the iSCSI protocol, not hardware ports), and iSCSI logical units (storage volumes), although both are unusual in practice.</t>
<t hangText="What entities create these identifiers?">Generally a Human user (1) configures an Automated system (2) that generates the names. Advance configuration of the system is required due to the embedded use of external
unique identifier (from the DNS or IEEE).</t>
<t hangText="How is the string input in the system?">Keyboard and copy-paste are common. Copy-paste is common because iSCSI names are long enough to be problematic for humans to remember, causing use of email, sneaker-net, text files, etc. to avoid mistype mistakes.</t>
<t hangText="Where do we place the dividing line between user interface and protocol?"> The iSCSI protocol requires that all internationalization string preparation occur in the user interface. The iSCSI protocol treats iSCSI names as opaque identifiers that are compared byte-by-byte for equality. iSCSI names are generally not checked for correct formatting by the protocol.</t>
<t hangText="What entities enforce the rules?"> There are no iSCSI-specific enforcement entities, although the use of unique identifier information in the names relies on DNS registrars and the IEEE Registration Authority.</t>
<t hangText="Comparison">Byte-by-byte</t>
<t hangText="Case Folding, Sensitivity, Preservation"> Case folding is required for the code blocks specified in RFC 3454, Table B.2. The overall iSCSI naming system (UI + protocol) is case-insensitive.</t>
<t hangText="What is the impact if the comparison results in a false positive?"> Potential access to the wrong storage. - If the initiator has no access to the wrong storage, an authentication failure is the probable result. - If the initiator has access to the worng storage, the resulting mis-identificaiton could result in use of the wrong data and possible corruption of stored data.</t>
<t hangText="What is the impact if the comparison results in a false negative?">Denial of authorized storage access.</t>
<t hangText="What are the security impacts?">iSCSI names are often used as the authentication identities for storage systems. Comparison problems could result in authentication problems, although note that authentication failure ameliorates some of the false positive cases.</t>
<t hangText="Normalization">NFKC, as specified by RFC 3454.</t>
<t hangText="Mapping">Yes, as specified by table B.1 in RFC 3454</t>
<t hangText="Disallowed Characters">Only the following characters are allowed:
- ASCII dash, dot, colon
- ASCII lower case letters and digits
- Unicode lower case characters as specified by RFC 3454
All other characters are disallowed.</t>
<t hangText="Which other strings or identifiers are these most similar to?">None - iSCSI names are unique to iSCSI.</t>
<t hangText="Are these strings or identifiers sometimes the same as strings or identifiers from other protocols?">No</t>
<t hangText="Does the identifier have internal structure that needs to be respected?">Yes - ASCII dot, dash and colon are used for internal name structure. These are not reserved characters in that they can occur in the name in locations other than those used for structuring purposes (e.g., only the first occurrence of a colon character is structural, others are not).</t>
<t hangText="How are users exposed to these strings? How are they published?">iSCSI names appear in server and storage system configuration interfaces. They also appear in system logs.</t>
<t hangText="Is the string / identifier used as input to other operations? ">Effectively, no. The rarely used port and logical unit names involve concatenation, which effectively extends a unique iSCSI Name for a target to uniquely identify something within that target.</t>
<t hangText="How much tolerance for change from existing stringprep approach?">Good tolerance; the community would prefer that internationalization experts solve internationalization problems ;-).</t>
<t hangText="How strong a desire for change (e.g., for Unicode agility)?"> Unicode agility is desired in principle as long as nothing significant breaks.</t>
</list></t>
</section>
<section title="SMTP/POP3/ManageSieve Stringprep Profiles: RFC4954,RFC5034,RFC 5804">
<t><list style="hanging">
<t hangText="Description:">Authorization identity (user identifier) exchanged during SASL authentication: AUTH (SMTP/POP3) or AUTHENTICATE (ManageSieve) command.</t>
<t hangText="How It's Used:">Used for proxy authorization, e.g. to [lawfully] impersonate a particular user after a privileged authentication</t>
<t hangText="Who Generates It:"> Typically generated by email system administrators using some tools/conventions, sometimes from some backend database.
- In some setups human users can register own usernames (e.g. webmail self registration)</t>
<t hangText="User Input Methods:"> - Typed by user / selected from a list - Copy-and-paste - Perhaps voice input - Can also be specified in configuration files or on a command line </t>
<t hangText="Enforcement:"> - Rules enforced by server / add-on service (e.g., gateway service) on registration of account</t>
<t hangText="Comparison Method:">"Type 1" (byte-for-byte) or "type 2" (compare by a common algorithm that everyone agrees on (e.g., normalize and then compare the result byte-by-byte))</t>
<t hangText="Case Folding, Sensitivity, Preservation:"> Most likely case sensitive. Exact requirements on case-sensitivity/case-preservation depend on a specific implementation, e.g. an implementation might treat all user identifiers as case insensitive (or case insensitive for US-ASCII subset only).</t>
<t hangText="Impact of Comparison:">False positives: - an unauthorized user is allowed email service access (login) False negatives: - an authorized user is denied email service access</t>
<t hangText="Normalization:">NFKC (as per RFC 4013)</t>
<t hangText="Mapping:"> (see Section 2 of RFC 4013 for the full list): Non ASCII spaces are mapped to space, etc.</t>
<t hangText="Disallowed Characters:"> (see Section 2 of RFC 4013 for the full list): Unicode Control characters, etc.</t>
<t hangText="String Classes:"> - simple username. See Section 2 of RFC 4013 for details on restrictions. Note that some implementations allow spaces in these. While implementations are not required to use a specific format, an authorization identity frequently has the same format as an email address (and EAI email address in the future), or as a left hand side of an email address. Note: whatever is recommended for SMTP/POP/ManageSieve authorization identity should also be used for IMAP authorization identities, as IMAP/POP3/SMTP/ManageSieve are frequently implemented together.</t>
<t hangText="Internal Structure:">None</t>
<t hangText="User Output:">Unlikely, but possible. For example, if it is the same as an email address.</t>
<t hangText="Operations:"> - Sometimes concatenated with other data and then used as input to a cryptographic hash function</t>
<t hangText="How much tolerance for change from existing stringprep approach?">Not sure.</t>
<t hangText="Background information:">
In RFC 5034, when describing the POP3 AUTH command:
The authorization identity generated by the SASL exchange is a
simple username, and SHOULD use the SASLprep profile (see
[RFC4013]) of the StringPrep algorithm (see [RFC3454]) to
prepare these names for matching. If preparation of the
authorization identity fails or results in an empty string
(unless it was transmitted as the empty string), the server
MUST fail the authentication.
In RFC 4954, when describing the SMTP AUTH command:
The authorization identity generated by this [SASL] exchange
is a "simple username" (in the sense defined in [SASLprep]),
and both client and server SHOULD (*) use the [SASLprep]
profile of the [StringPrep] algorithm to prepare these names
for transmission or comparison. If preparation of the
authorization identity fails or results in an empty string
(unless it was transmitted as the empty string), the server
MUST fail the authentication.
(*) Note: Future revision of this specification may change this
requirement to MUST. Currently, the SHOULD is used in order to
avoid breaking the majority of existing implementations.
In RFC 5804, when describing the ManageSieve AUTHENTICATE command:
The authorization identity generated by this [SASL] exchange is a
"simple username" (in the sense defined in [SASLprep]), and both
client and server MUST use the [SASLprep] profile of the [StringPrep]
algorithm to prepare these names for transmission or comparison. If
preparation of the authorization identity fails or results in an
empty string (unless it was transmitted as the empty string), the
server MUST fail the authentication.</t>
</list></t>
</section>
<section title="IMAP Stringprep Profiles: RFC5738, RFC4314: Usernames">
<t>
<list style="hanging">
<t hangText="Evaluation Note">These documents have 2 types of strings (usernames and passwords), so there are two separate templates.</t>
<t hangText="Description:">"username" parameter to the IMAP LOGIN command, identifiers in IMAP ACL commands. Note that any valid username is also an IMAP ACL identifier, but IMAP ACL identifiers can include other things like name of group of users.</t>
<t hangText="How It's Used:">Used for authentication (Usernames), or in IMAP Access Control Lists (Usernames or Group names)</t>
<t hangText="Who Generates It:">- Typically generated by email system administrators using some tools/conventions, sometimes from some backend database. - In some setups human users can register own usernames (e.g. webmail self registration)</t>
<t hangText="User Input Methods:"> - Typed by user / selected from a list - Copy-and-paste - Perhaps voice input - Can also be specified in configuration files or on a command line</t>
<t hangText="Enforcement:"> - Rules enforced by server / add-on service (e.g., gateway service) on registration of account</t>
<t hangText="Comparison Method:"> Type 1" (byte-for-byte) or "type 2" (compare by a common algorithm that everyone agrees on (e.g., normalize and then compare the result byte-by-byte))</t>
<t hangText="Case Folding, Sensitivity, Preservation:">- Most likely case sensitive. Exact requirements on case-sensitivity/case-preservation depend on a specific implementation, e.g. an implementation might treat all user identifiers as case insensitive (or case insensitive for US-ASCII subset only).</t>
<t hangText="Impact of Comparison:"> False positives:
- an unauthorized user is allowed IMAP access (login)
- improperly grant privileges (e.g., access to a specific mailbox, ability to manage ACLs for a mailbox)
False negatives:
- an authorized user is denied IMAP access
- unable to use granted privileges (e.g., access to a specific mailbox, ability to manage ACLs for a mailbox)</t>
<t hangText="Normalization:">NFKC (as per RFC 4013)</t>
<t hangText="Mapping:">(see Section 2 of RFC 4013 for the full list): non ASCII spaces are mapped to space</t>
<t hangText="Disallowed Characters:">(see Section 2 of RFC 4013 for the full list): Unicode Control characters, etc.</t>
<t hangText="String Classes:">- simple username. See Section 2 of RFC 4013 for details on restrictions. Note that some implementations allow spaces in these. While IMAP implementations are not required to use a specific format, an IMAP username frequently has the same format as an email address (and EAI email address in the future), or as a left hand side of an email address. Note: whatever is recommended for IMAP username should also be used for ManageSieve, POP3 and SMTP authorization identities, as IMAP/POP3/SMTP/ManageSieve are frequently implemented together.</t>
<t hangText="Internal Structure:">None</t>
<t hangText="User Output:">Unlikely, but possible. For example, if it is the same as an email address.
- access control lists (e.g. in IMAP ACL extension), both when managing membership and listing membership of existing access control lists.
- often show up as mailbox names (under Other Users IMAP namespace)</t>
<t hangText="Operations:"> - Sometimes concatenated with other data and then used as input to a cryptographic hash function</t>
<t hangText="How much tolerance for change from existing stringprep approach?">Not sure. Non-ASCII IMAP usernames are currently prohibited by IMAP (RFC 3501). However they are allowed when used in IMAP ACL extension.</t>
</list></t>
</section>
<section title="IMAP Stringprep Profiles: RFC5738: Passwords">
<t>
<list style="hanging">
<t hangText="Description:">"Password" parameter to the IMAP LOGIN command </t>
<t hangText="How It's Used:">Used for authentication (Passwords)</t>
<t hangText="Who Generates It:">Either generated by email system administrators using some tools/conventions, or specified by the human user.</t>
<t hangText="User Input Methods:"> - Typed by user - Copy-and-paste - Perhaps voice input - Can also be specified in configuration files or on a command line </t>
<t hangText="Enforcement:">Rules enforced by server / add-on service (e.g., gateway service or backend databse) on registration of account</t>
<t hangText="Comparison Method:">"Type 1" (byte-for-byte)</t>
<t hangText="Case Folding, Sensitivity, Preservation:">Most likely case sensitive.</t>
<t hangText="Impact of Comparison:"> False positives: - an unauthorized user is allowed IMAP access (login)
False negatives:
- an authorized user is denied IMAP access</t>
<t hangText="Normalization:">NFKC (as per RFC 4013)</t>
<t hangText="Mapping:">(see Section 2 of RFC 4013 for the full list): non ASCII spaces are mapped to space</t>
<t hangText="Disallowed Characters:"> (see Section 2 of RFC 4013 for the full list): Unicode Control characters, etc.</t>
<t hangText="String Classes:">Currently defined as "simple username" (see Section 2 of RFC 4013 for details on restrictions.), however this is likely to be a different class from usernames. Note that some implementations allow spaces in these. Password in all email related protocols should be treated in the same way. Same passwords are frequently shared with web, IM, etc. applications.</t>
<t hangText="Internal Structure:">None</t>
<t hangText="User Output:"> - text of email messages (e.g. in "you forgot your password" email messages) - web page / directory - side of the bus / in ads -- possible</t>
<t hangText="Operations:">Sometimes concatenated with other data and then used as input to a cryptographic hash function. Frequently stored as is, or hashed.</t>
<t hangText="How much tolerance for change from existing stringprep approach?"> Not sure. Non-ASCII IMAP passwords are currently prohibited by IMAP (RFC 3501), however they are likely to be in widespread use.</t>
<t hangText="Background information:">
RFC 5738 (IMAP INTERNATIONALIZATION):
5. UTF8=USER Capability
If the "UTF8=USER" capability is advertised, that indicates the
server accepts UTF-8 user names and passwords and applies SASLprep
[RFC4013] to both arguments of the LOGIN command. The server MUST
reject UTF-8 that fails to comply with the formal syntax in RFC 3629
[RFC3629] or if it encounters Unicode characters listed in Section
2.3 of SASLprep RFC 4013 [RFC4013].
RFC 4314 (IMAP4 Access Control List (ACL) Extension):
3. Access control management commands and responses
Servers, when processing a command that has an identifier as a
parameter (i.e., any of SETACL, DELETEACL, and LISTRIGHTS commands),
SHOULD first prepare the received identifier using "SASLprep" profile
[SASLprep] of the "stringprep" algorithm [Stringprep]. If the
preparation of the identifier fails or results in an empty string,
the server MUST refuse to perform the command with a BAD response.
Note that Section 6 recommends additional identifier's verification
steps.
and in Section 6:
This document relies on [SASLprep] to describe steps required to
perform identifier canonicalization (preparation). The preparation
algorithm in SASLprep was specifically designed such that its output
is canonical, and it is well-formed. However, due to an anomaly
[PR29] in the specification of Unicode normalization, canonical
equivalence is not guaranteed for a select few character sequences.
Identifiers prepared with SASLprep can be stored and returned by an
ACL server. The anomaly affects ACL manipulation and evaluation of
identifiers containing the selected character sequences. These
sequences, however, do not appear in well-formed text. In order to
address this problem, an ACL server MAY reject identifiers containing
sequences described in [PR29] by sending the tagged BAD response.
This is in addition to the requirement to reject identifiers that
fail SASLprep preparation as described in Section 3.</t>
</list>
</t>
</section>
<section title="Anonymous SASL Stringprep Profiles: RFC4505">
<t><list style="hanging">
<t hangText="Description:">RFC 4505 defines a "trace" field:</t>
<t hangText="Comparison:">this field is not intended for comparison (only used for logging)</t>
<t hangText="Case folding; case sensitivity, preserve case:">No case folding/case sensitive</t>
<t hangText="Do users input the strings directly?">Yes. Possibly entered in configuration UIs, or on a command line. Can
also be stored in configuration files. The value can also be automatically generated by clients (e.g. a fixed string is used, or a user's email address).
</t>
<t hangText="How users input strings?">Keyboard/voice, stylus (pick from a list). Copy-paste - possibly.</t>
<t hangText="Normalization:">None</t>
<t hangText="Disallowed Characters">Control characters are disallowed. (See Section 3 of RFC 4505)</t>
<t hangText="Which other strings or identifiers are these most similar to?">
RFC 4505 says that the trace "should take one of two forms: an Internet
email address, or an opaque string that does not contain the '@'
U+0040) character and that can be interpreted by the system
administrator of the client's domain."
In practice, this is a freeform text, so it belongs to a different class from "email address" or "username".</t>
<t hangText="Are these strings or identifiers sometimes the same as strings or identifiers from other protocols (e.g., does an IM system sometimes use the same credentials database for authentication as an email system)?">
Yes: see above. However there is no strong need to keep them consistent in the future.
</t>
<t hangText="How are users exposed to these strings, how are they published?">No. However, The value can be seen in server logs</t>
<t hangText="Impacts of false positives and false negatives:">
False positive: a user can be confused with another user.
False negative: two distinct users are treated as the same user.
But note that the trace field is not authenticated, so it can be easily falsified.</t>
<t hangText="Tolerance of changes in the community">The community would be flexible.</t>
<t hangText="Delimiters">No internal structure, but see comments above about frequent use of
email addresses.</t>
<t hangText="Background information:">The Anonymous Mechanism
The mechanism consists of a single message from the client to the
server. The client may include in this message trace information in
the form of a string of [UTF-8]-encoded [Unicode] characters prepared
in accordance with [StringPrep] and the "trace" stringprep profile
defined in Section 3 of this document. The trace information, which
has no semantical value, should take one of two forms: an Internet
email address, or an opaque string that does not contain the '@'
(U+0040) character and that can be interpreted by the system
administrator of the client's domain. For privacy reasons, an
Internet email address or other information identifying the user
should only be used with permission from the user.
3. The "trace" Profile of "Stringprep"
This section defines the "trace" profile of [StringPrep]. This
profile is designed for use with the SASL ANONYMOUS Mechanism.
Specifically, the client is to prepare the message production in
accordance with this profile.
The character repertoire of this profile is Unicode 3.2 [Unicode].
No mapping is required by this profile.
No Unicode normalization is required by this profile.
The list of unassigned code points for this profile is that provided
in Appendix A of [StringPrep]. Unassigned code points are not
prohibited.
Characters from the following tables of [StringPrep] are prohibited:
- C.2.1 (ASCII control characters)
- C.2.2 (Non-ASCII control characters)
- C.3 (Private use characters)
- C.4 (Non-character code points)
- C.5 (Surrogate codes)
- C.6 (Inappropriate for plain text)
- C.8 (Change display properties are deprecated)
- C.9 (Tagging characters)
No additional characters are prohibited.
This profile requires bidirectional character checking per Section 6
of [StringPrep].</t>
</list></t>
</section>
<section title="XMPP Stringprep Profiles: RFC3920 Nodeprep">
<t><list style="hanging">
<t hangText="Description:">Localpart of JabberID ("JID"), as in: localpart@domainpart/resourcepart</t>
<t hangText="How It's Used:">
- Usernames (e.g., stpeter@jabber.org)
- Chatroom names (e.g., precis@jabber.ietf.org)
- Publish-subscribe nodes
- Bot names</t>
<t hangText="Who Generates It:">- Typically, end users via an XMPP client
- Sometimes created in an automated fashion</t>
<t hangText="User Input Methods:">
- Typed by user
- Copy-and-paste
- Perhaps voice input
- Clicking a URI/IRI</t>
<t hangText="Enforcement:">
- Rules enforced by server / add-on service (e.g., chatroom
service) on registration of account, creation of room, etc.</t>
<t hangText="Comparison Method:">"Type 2" (common algorithm)</t>
<t hangText="Case Folding, Sensitivity, Preservation:">
- Strings are always folded to lowercase
- Case is not preserved</t>
<t hangText="Impact of Comparison:">
False positives:
- unable to authenticate at server
(or authenticate to wrong account)
- add wrong person to buddy list
- join the wrong chatroom
- improperly grant privileges (e.g., chatroom admin)
- subscribe to wrong pubsub node
- interact with wrong bot
- allow communication with blocked entity
False negatives:
- unable to authenticate
- unable to add someone to buddy list
- unable to join desired chatroom
- unable to use granted privileges (e.g., chatroom admin)
- unable to subscribe to desired pubsub node
- unable to interact with desired bot
- disallow communication with unblocked entity</t>
<t hangText="Normalization:">NFKC</t>
<t hangText="Mapping:">Spaces are mapped to nothing</t>
<t hangText="Disallowed Characters:">",&,',/,:,<,>,@</t>
<t hangText="String Classes:">
- Often similar to generic username
- Often similar to localpart of email address
- Sometimes same as localpart of email address</t>
<t hangText="Internal Structure:">None</t>
<t hangText="User Output:">
- vCard
- email signature
- web page / directory
- text of message (e.g., in a chatroom)</t>
<t hangText="Operations:">
- Sometimes concatenated with other data and then
used as input to a cryptographic hash function</t>
</list></t>
</section>
<section title="XMPP Stringprep Profiles: RFC3920 Resourceprep">
<t>
<list style="hanging">
<t hangText="Description:">
- Resourcepart of JabberID ("JID"), as in:
localpart@domainpart/resourcepart
- Typically free-form text</t>
<t hangText="How It's Used:">
- Device / session names (e.g., stpeter@jabber.org/Home)
- Nicknames (e.g., precis@jabber.ietf.org/StPeter)</t>
<t hangText="Who Generates It:">
- Often human users via an XMPP client
- Often generated in an automated fashion by client or server</t>
<t hangText="User Input Methods:">
- Typed by user
- Copy-and-paste
- Perhaps voice input
- Clicking a URI/IRI</t>
<t hangText="Enforcement:">
- Rules enforced by server / add-on service (e.g., chatroom
service) on account login, joining a chatroom, etc.</t>
<t hangText="Comparison Method:">"Type 2" (byte-for-byte)</t>
<t hangText="Case Folding, Sensitivity, Preservation:">
- Strings are never folded
- Case is preserved</t>
<t hangText="Impact of Comparison:">
False positives:
- interact with wrong device (e.g., for file transfer or voice call)
- interact with wrong chatroom participant
- improperly grant privileges (e.g., chatroom moderator)
- allow communication with blocked entity
False negatives:
- unable to choose desired chatroom nick
- unable to use granted privileges (e.g., chatroom moderator)
- disallow communication with unblocked entity</t>
<t hangText="Normalization:">NFKC</t>
<t hangText="Mapping:">Spaces are mapped to nothing</t>
<t hangText="Disallowed Characters:">None</t>
<t hangText="String Classes:">Basically a free-form identifier</t>
<t hangText="Internal Structure:">None</t>
<t hangText="User Output:">
- text of message (e.g., in a chatroom)
- device names often not exposed to human users</t>
<t hangText="Operations:">Sometimes concatenated with other data and then
used as input to a cryptographic hash function</t>
</list>
</t>
</section>
<section title="EAP Stringprep Profiles: RFC3748">
<t>
<list style="hanging">
<t hangText="Description:">RFC 3748 section 5 references Stringprep,
but the WG did not agree with the text (was added by IESG) and
there are no known implementations that use Stringprep.
The main problem with that text is that the use of strings is a per-method concept,
not a generic EAP concept and so RFC 3748 itself does not really use Stringprep,
but individual EAP methods could. As such, the answers to the template questions
are mostly not applicable, but a few answers are universal across methods.
The list of IANA registered EAP methods is at
http://www.iana.org/assignments/eap-numbers/eap-numbers.xml#eap-numbers-3</t>
<t hangText="Comparison Methods:">n/a (per-method)</t>
<t hangText="Case Folding, Case Sensitivity, Case Preservation:">n/a (per-method)</t>
<t hangText="Impact of comparison:">A false positive results in unauthorized network access (and possibly theft of service if some else is billed).
A false negative results in lack of authorized network access (no connectivity).</t>
<t hangText="User input:"> n/a (per-method)</t>
<t hangText="Normalization:">n/a (per-method)</t>
<t hangText="Mapping:">n/a (per-method)</t>
<t hangText="Disallowed characters:">n/a (per-method)</t>
<t hangText="String classes:">Although some EAP methods may use a syntax similar to other types
of identifiers, EAP mandates that the actual values must not be assumed to be identifiers
usable with anything else.</t>
<t hangText="Internal structure:">n/a (per-method)</t>
<t hangText="User output:">Identifiers are never human displayed except perhaps as they're typed by a human.</t>
<t hangText="Operations:">n/a (per-method)</t>
<t hangText="Community considerations:">
There is no resistance to change for the base EAP protocol
(as noted, the WG didn't want the existing text). However actual use of stringprep,
if any, within specific EAP methods may have resistance. It is currently unknown whether
any EAP methods use stringprep. </t>
</list>
</t>
</section>
</section>
<section title="Changes between versions">
<t>Note to RFC Editor: This section should be removed prior to publication.</t>
<section title="00">
<t>First WG version. Based on
draft-blanchet-precis-problem-statement-00.</t>
</section>
<section title="01">
<t><list style="symbols">
<t>Made clear that the document is talking only about
Unicode code points, and not any particular encoding.</t>
<t>Substantially reorganized the document along the lines of
the review template at <eref
target="http://trac.tools.ietf.org/wg/precis/trac/wiki/StringprepReviewTemplate"
/>.</t>
<t>Included specific questions for each topic for consideration.</t>
<t>Moved spot for individual protocol review to appendix.
Not populated yet.</t>
</list></t>
</section>
<section title="02">
<t><list style="symbols">
<t>Cleared up details of comparison classes</t>
<t>Added a section on changes in Unicode</t>
</list>
</t>
</section>
<section title="03">
<t><list style="symbols">
<t>Aligned comparison discussion with identifier discussion
from draft-iab-identifier-comparison-00</t>
<t>Added section on classes of strings ("Namey" and so
on)</t>
</list></t>
</section>
<section title="04">
<t>Keepalive version</t>
</section>
<section title="05">
<t><list style="symbols">
<t>Changed classes of strings to align with framework doc</t>
<t>Altered table in Appendix A</t>
<t>Added all profiles evaluations from the wg wiki in appendix B</t>
</list></t>
</section>
<section title="06">
<t><list style="symbols">
<t>Respond to comments received in WGLC</t>
<t>Removed classes of strings (also from <xref
target="knowncases" />)</t>
<t>Moved inclusion/exclusion distinction to Introduction</t>
<t>Fix some sentences to clarify terminology and add or fix
references</t>
</list>
</t>
</section>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 12:54:34 |