7 INTERNET-DRAFT Kurt D. Zeilenga
8 Intended Category: Standards Track OpenLDAP Foundation
9 Expires in six months 30 June 2003
12 SASLprep: Stringprep profile for user names and passwords
13 <draft-ietf-sasl-saslprep-03.txt>
18 This document is an Internet-Draft and is in full conformance with all
19 provisions of Section 10 of RFC 2026.
21 This document is intended to be, after appropriate review and
22 revision, submitted to the RFC Editor as a Standards Track document.
23 Distribution of this memo is unlimited. Technical discussion of this
24 document will take place on the IETF SASL mailing list
25 <ietf-sasl@imc.org>. Please send editorial comments directly to the
26 document editor <Kurt@OpenLDAP.org>.
28 Internet-Drafts are working documents of the Internet Engineering Task
29 Force (IETF), its areas, and its working groups. Note that other
30 groups may also distribute working documents as Internet-Drafts.
31 Internet-Drafts are draft documents valid for a maximum of six months
32 and may be updated, replaced, or obsoleted by other documents at any
33 time. It is inappropriate to use Internet-Drafts as reference
34 material or to cite them other than as ``work in progress.''
36 The list of current Internet-Drafts can be accessed at
37 <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
38 Internet-Draft Shadow Directories can be accessed at
39 <http://www.ietf.org/shadow.html>.
41 Copyright (C) The Internet Society (2003). All Rights Reserved.
43 Please see the Full Copyright section near the end of this document
49 This document describes how to prepare Unicode strings representing
50 user names and passwords for comparison. The document defines the
51 "SASLprep" "stringprep" profile to be used for both user names and
52 passwords. This profile is intended to be used by Simple
53 Authentication and Security Layer (SASL) mechanisms (such as PLAIN,
54 CRAM-MD5, and DIGEST-MD5) as well as other protocols exchanging user
58 Zeilenga SASLprep [Page 1]
60 INTERNET-DRAFT draft-ietf-sasl-saslprep-03.txt 30 June 2003
63 names and/or passwords.
68 The use of simple user names and passwords in authentication and
69 authorization is pervasive on the Internet. To increase the
70 likelihood that user name and password input and comparison work in
71 ways that make sense for typical users throughout the world, this
72 document defines rules for preparing internationalized user names and
73 passwords for comparison. For simplicity and implementation ease, a
74 single algorithm is defined for both user names and passwords.
76 This document defines the "SASLprep" profile of the "stringprep"
77 protocol [StringPrep].
79 The profile is designed for use in Simple Authentication and Security
80 Layer ([SASL]) mechanisms such as [PLAIN]. It may be applicable
81 elsewhere simple user names and passwords are used. This profile is
82 not intended to be used for arbitrary text. This profile is also not
83 intended to be used to prepare identity strings which are not simple
84 user names (e.g., e-mail addresses, domain names, distinguished
88 2. The SASLprep profile
90 This section defines the "SASLprep" profile. This profile is intended
91 to be used to prepare strings representing simple user names and
94 This profile uses Unicode 3.2, as defined in [StringPrep, A.1].
96 Character names in this document use the notation for code points and
97 names from the Unicode Standard [Unicode]. For example, the letter
98 "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
99 In the lists of mappings and the prohibited characters, the "U+" is
100 left off to make the lists easier to read. The comments for character
101 ranges are shown in square brackets (such as "[CONTROL CHARACTERS]")
102 and do not come from the standard.
104 Note: a glossary of terms used in Unicode can be found in [Glossary].
105 Information on the Unicode character encoding model can be found in
114 Zeilenga SASLprep [Page 2]
116 INTERNET-DRAFT draft-ietf-sasl-saslprep-03.txt 30 June 2003
119 This profile specifies:
120 - non-ASCII space characters [StringPrep, C.1.2] be mapped to SPACE
123 - the "commonly mapped to nothing" characters [StringPrep, B.1] be
130 This profile specifies using Unicode normalization form KC, as
131 described in Section 4 of [StringPrep].
134 2.3. Prohibited Output
136 This profile specifies the following characters:
138 - Non-ASCII space characters [StringPrep, C.1.2],
139 - ASCII control characters [StringPrep, C.2.1],
140 - Non-ASCII control characters [StringPrep, C.2.2],
141 - Private Use [StringPrep, C.3],
142 - Non-character code points [StringPrep, C.4],
143 - Surrogate code points [StringPrep, C.5],
144 - Inappropriate for plain text [StringPrep, C.6],
145 - Inappropriate for canonical representation [StringPrep, C.7],
146 - Change display properties or are deprecated [StringPrep, C.8], and
147 - Tagging characters [StringPrep, C.9].
149 are prohibited output.
152 2.4. Bidirectional characters
154 This profile specifies checking bidirectional strings as described in
155 [StringPrep, Section 6].
158 2.5. Unassigned Code Points
160 This profile specifies [StringPrep, A.1] table as its list of
161 unassigned code points.
164 3. Security Considerations
166 This profile is intended to used to prepare simple user names and
170 Zeilenga SASLprep [Page 3]
172 INTERNET-DRAFT draft-ietf-sasl-saslprep-03.txt 30 June 2003
175 passwords for comparison. It is not intended to be used for to
176 prepare identities which are not simple user names (e.g.,
177 distinguished names and domain names). Nor is the profile intended to
178 be used for simple user names which require different handling.
179 Protocols (or applications of those protocols) which have
180 application-specific identity forms and/or comparison algorithms
181 should use mechanisms specifically designed for these forms and
184 User names and passwords should be protected from eavesdropping.
186 General "stringprep" and Unicode security considerations apply. Both
187 are discussed in [StringPrep].
190 4. IANA Considerations
192 This document details the "SASLprep" profile of [StringPrep] protocol.
193 Upon Standards Action the profile should be registered in the
194 stringprep profile registry.
196 Name of this profile: SASLprep
197 RFC in which the profile is defined: This RFC
198 Indicator whether or not this is the newest version of the
199 profile: This is the first version of the SASPprep profile.
204 This document borrows text from "Preparation of Internationalized
205 Strings ('stringprep')" and "Nameprep: A Stringprep Profile for
206 Internationalized Domain Names", both by Paul Hoffman and Marc
209 This document is a product of the IETF SASL WG.
212 6. Normative References
214 [StringPrep] Hoffman P. and M. Blanchet, "Preparation of
215 Internationalized Strings ('stringprep')", RFC 3454,
218 [SASL] Myers, J., "Simple Authentication and Security Layer
219 (SASL)", draft-myers-saslrev-xx.txt, a work in progress.
221 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
222 3.2.0" is defined by "The Unicode Standard, Version 3.0"
226 Zeilenga SASLprep [Page 4]
228 INTERNET-DRAFT draft-ietf-sasl-saslprep-03.txt 30 June 2003
231 (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
232 as amended by the "Unicode Standard Annex #27: Unicode
233 3.1" (http://www.unicode.org/reports/tr27/) and by the
234 "Unicode Standard Annex #28: Unicode 3.2"
235 (http://www.unicode.org/reports/tr28/).
238 7. Informative References
240 [Glossary] The Unicode Consortium, "Unicode Glossary",
241 <http://www.unicode.org/glossary/>.
243 [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
244 #17, Character Encoding Model", UTR17,
245 <http://www.unicode.org/unicode/reports/tr17/>, August
248 [CRAM-MD5] Nerenberg, L., "The CRAM-MD5 SASL Mechanism",
249 draft-nerenberg-sasl-crammd5-xx.txt, a work in progress.
251 [DIGEST-MD5] Leach, P., C. Newman, and A. Melnikov, "Using Digest
252 Authentication as a SASL Mechanism",
253 draft-ietf-sasl-rfc2831bis-xx.txt, a work in progress.
255 [PLAIN] Zeilenga, K., "The Plain SASL Mechanism",
256 draft-ietf-sasl-plain-xx.txt, a work in progress.
264 Email: kurt@OpenLDAP.org
267 Intellectual Property Rights
269 The IETF takes no position regarding the validity or scope of any
270 intellectual property or other rights that might be claimed to pertain
271 to the implementation or use of the technology described in this
272 document or the extent to which any license under such rights might or
273 might not be available; neither does it represent that it has made any
274 effort to identify any such rights. Information on the IETF's
275 procedures with respect to rights in standards-track and
276 standards-related documentation can be found in BCP-11. Copies of
277 claims of rights made available for publication and any assurances of
278 licenses to be made available, or the result of an attempt made to
282 Zeilenga SASLprep [Page 5]
284 INTERNET-DRAFT draft-ietf-sasl-saslprep-03.txt 30 June 2003
287 obtain a general license or permission for the use of such proprietary
288 rights by implementors or users of this specification can be obtained
289 from the IETF Secretariat.
291 The IETF invites any interested party to bring to its attention any
292 copyrights, patents or patent applications, or other proprietary
293 rights which may cover technology that may be required to practice
294 this standard. Please address the information to the IETF Executive
300 Copyright (C) The Internet Society (2003). All Rights Reserved.
302 This document and translations of it may be copied and furnished to
303 others, and derivative works that comment on or otherwise explain it
304 or assist in its implmentation may be prepared, copied, published and
305 distributed, in whole or in part, without restriction of any kind,
306 provided that the above copyright notice and this paragraph are
307 included on all such copies and derivative works. However, this
308 document itself may not be modified in any way, such as by removing
309 the copyright notice or references to the Internet Society or other
310 Internet organizations, except as needed for the purpose of
311 developing Internet standards in which case the procedures for
312 copyrights defined in the Internet Standards process must be followed,
313 or as required to translate it into languages other than English.
338 Zeilenga SASLprep [Page 6]