The TCP Service Number Option (SNO)
draft-touch-tcpm-sno-09
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2022-02-02
|
09 | Cindy Morgan | This document now replaces draft-touch-tcp-portnames instead of None |
2019-01-20
|
09 | (System) | Document has expired |
2018-07-19
|
09 | Joseph Touch | New version available: draft-touch-tcpm-sno-09.txt |
2018-07-19
|
09 | (System) | New version approved |
2018-07-19
|
09 | (System) | Network Working Group P. Saint-Andre Internet-Draft … Network Working Group P. Saint-Andre Internet-Draft Filament Obsoletes: 7613 (if approved) A. Melnikov Intended status: Standards Track Isode Ltd Expires: March 9, 2017 September 5, 2016 Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords draft-ietf-precis-7613bis-03 Abstract This document describes updated methods for handling Unicode strings representing usernames and passwords. The previous approach was known as SASLprep (RFC 4013) and was based on stringprep (RFC 3454). The methods specified in this document provide a more sustainable approach to the handling of internationalized usernames and passwords. The preparation, enforcement, and comparison of internationalized strings (PRECIS) framework, RFC 7564, obsoletes RFC 3454, and this document obsoletes RFC 7613. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 9, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Saint-Andre & Melnikov Expires March 9, 2017 [Page 1] Internet-Draft PRECIS: Usernames and Passwords September 2016 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Usernames . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Definition . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. UsernameCaseMapped Profile . . . . . . . . . . . . . . . 6 3.2.1. Rules . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.2. Preparation . . . . . . . . . . . . . . . . . . . . . 6 3.2.3. Enforcement . . . . . . . . . . . . . . . . . . . . . 7 3.2.4. Comparison . . . . . . . . . . . . . . . . . . . . . 7 3.3. UsernameCasePreserved Profile . . . . . . . . . . . . . . 7 3.3.1. Rules . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3.2. Preparation . . . . . . . . . . . . . . . . . . . . . 8 3.3.3. Enforcement . . . . . . . . . . . . . . . . . . . . . 8 3.3.4. Comparison . . . . . . . . . . . . . . . . . . . . . 8 3.4. Case Mapping vs. Case Preservation . . . . . . . . . . . 8 3.5. Application-Layer Constructs . . . . . . . . . . . . . . 10 3.6. Examples . . . . . . . . . . . . . . . . . . . . . . . . 10 4. Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.1. Definition . . . . . . . . . . . . . . . . . . . . . . . 12 4.2. OpaqueString Profile . . . . . . . . . . . . . . . . . . 13 4.2.1. Preparation . . . . . . . . . . . . . . . . . . . . . 13 4.2.2. Enforcement . . . . . . . . . . . . . . . . . . . . . 13 4.2.3. Comparison . . . . . . . . . . . . . . . . . . . . . 14 4.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 14 5. Use in Application Protocols . . . . . . . . . . . . . . . . 15 6. Migration . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.1. Usernames . . . . . . . . . . . . . . . . . . . . . . . . 16 6.2. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 17 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 7.1. UsernameCaseMapped Profile . . . . . . . . . . . . . . . 18 7.2. UsernameCasePreserved Profile . . . . . . . . . . . . . . 19 7.3. OpaqueString Profile . . . . . . . . . . . . . . . . . . 20 7.4. Stringprep Profile . . . . . . . . . . . . . . . . . . . 20 8. Security Considerations . . . . . . . . . . . . . . . . . . . 20 8.1. Password/Passphrase Strength . . . . . . . . . . . . . . 20 8.2. Identifier Comparison . . . . . . . . . . . . . . . . . . 21 8.3. Reuse of PRECIS . . . . . . . . . . . . . . . . . . . . . 21 8.4. Reuse of Unicode . . . . . . . . . . . . . . . . . . . . 21 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 9.1. Normative References . . . . . . . . . . . . . . . . . . 21 Saint-Andre & Melnikov Expires March 9, 2017 [Page 2] Internet-Draft PRECIS: Usernames and Passwords September 2016 9.2. Informative References . . . . . . . . . . . . . . . . . 22 Appendix A. Differences from RFC 7613 . . . . . . . . . . . . . 24 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 24 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 1. Introduction Usernames and passwords are widely used for authentication and authorization on the Internet, either directly when provided in plaintext (as in the PLAIN Simple Authentication and Security Layer (SASL) mechanism [RFC4616] and the HTTP Basic scheme [RFC7617]) or indirectly when provided as the input to a cryptographic algorithm such as a hash function (as in the Salted Challenge Response Authentication Mechanism (SCRAM) SASL mechanism [RFC5802] and the HTTP Digest scheme [RFC7616]). To increase the likelihood that the input and comparison of usernames and passwords will work in ways that make sense for typical users throughout the world, this document defines rules for preparing, enforcing, and comparing internationalized strings that represent usernames and passwords. Such strings consist of characters from the Unicode character set [Unicode], with special attention to characters outside the ASCII range [RFC20]. The rules for handling such strings are specified through profiles of the string classes defined in the preparation, enforcement, and comparison of internationalized strings (PRECIS) framework specification [RFC7564]. Profiles of the PRECIS framework enable software to handle Unicode characters outside the ASCII range in an automated way, so that such characters are treated carefully and consistently in application protocols. In large measure, these profiles are designed to protect application developers from the potentially negative consequences of supporting the full range of Unicode characters. For instance, in almost all application protocols it would be dangerous to treat the Unicode character SUPERSCRIPT ONE (U+00B9) as equivalent to DIGIT ONE (U+0031), because that would result in false positives during comparison, authentication, and authorization (e.g., an attacker could easy spoof an account "user1@example.com"). Whereas a naive use of Unicode would make such attacks trivially easy, the PRECIS profile defined here for usernames generally protects applications from inadvertently causing such problems. (Similar considerations apply to passwords, although here it is desirable to support a wider range of characters so as to maximize entropy for purposes of authentication.) The methods defined here might be applicable wherever usernames or passwords are used. However, the methods are not intended for use in Saint-Andre & Melnikov Expires March 9, 2017 [Page 3] Internet-Draft PRECIS: Usernames and Passwords September 2016 preparing strings that are not usernames (e.g., Lightweight Directory Access Protocol (LDAP) distinguished names), nor in cases where identifiers or secrets are not strings (e.g., keys and certificates) or require specialized handling. This document obsoletes RFC 4013 (the SASLprep profile of stringprep [RFC3454]) but can be used by technologies other than SASL [RFC4422], such as HTTP authentication as specified in [RFC7617] and [RFC7616]. This document does not modify the handling of internationalized strings in usernames and passwords as prescribed by existing application protocols that use SASLprep. If the community that uses such an application protocol wishes to modernize its handling of internationalized strings to use PRECIS instead of stringprep, it needs to explicitly update the existing application protocol definition (one example is [RFC7622]. Non-coordinated updates to protocol implementations are discouraged because they can have a negative impact on interoperability and security. 2. Terminology Many important terms used in this document are defined in [RFC5890], [RFC6365], [RFC7564], and [Unicode]. The term "non-ASCII space& |
2018-07-19
|
09 | Joseph Touch | Uploaded new revision |
2018-01-19
|
08 | Joseph Touch | New version available: draft-touch-tcpm-sno-08.txt |
2018-01-19
|
08 | (System) | New version approved |
2018-01-19
|
08 | (System) | Request for posting confirmation emailed to previous authors: Joseph Touch |
2018-01-19
|
08 | Joseph Touch | Uploaded new revision |
2017-10-19
|
07 | (System) | Document has expired |
2017-04-17
|
07 | Joseph Touch | New version available: draft-touch-tcpm-sno-07.txt |
2017-04-17
|
07 | (System) | New version approved |
2017-04-17
|
07 | (System) | Request for posting confirmation emailed to previous authors: Joseph Touch |
2017-04-17
|
07 | Joseph Touch | Uploaded new revision |
2016-10-21
|
06 | Joseph Touch | New version available: draft-touch-tcpm-sno-06.txt |
2016-10-21
|
06 | (System) | New version approved |
2016-10-21
|
05 | (System) | Request for posting confirmation emailed to previous authors: "Joseph Touch" |
2016-10-21
|
05 | Joseph Touch | Uploaded new revision |
2016-10-20
|
05 | (System) | Document has expired |
2016-04-18
|
05 | Joseph Touch | New version available: draft-touch-tcpm-sno-05.txt |
2015-10-15
|
04 | Joseph Touch | New version available: draft-touch-tcpm-sno-04.txt |
2015-03-09
|
03 | Joseph Touch | New version available: draft-touch-tcpm-sno-03.txt |
2014-09-16
|
02 | Joseph Touch | New version available: draft-touch-tcpm-sno-02.txt |
2014-03-04
|
01 | Joseph Touch | New version available: draft-touch-tcpm-sno-01.txt |
2013-09-04
|
00 | Joseph Touch | New version available: draft-touch-tcpm-sno-00.txt |