The TCP Service Number Option (SNO)
draft-touch-tcpm-sno-09

Network Working Group                                    P. Saint-Andre
Internet-Draft                                                  Filament
Obsoletes: 7613 (if approved)                                A. Melnikov
Intended status: Standards Track                              Isode Ltd
Expires: March 9, 2017                                September 5, 2016

Preparation, Enforcement, and Comparison of Internationalized Strings
                  Representing Usernames and Passwords
                      draft-ietf-precis-7613bis-03

Abstract

  This document describes updated methods for handling Unicode strings
  representing usernames and passwords.  The previous approach was
  known as SASLprep (RFC 4013) and was based on stringprep (RFC 3454).
  The methods specified in this document provide a more sustainable
  approach to the handling of internationalized usernames and
  passwords.  The preparation, enforcement, and comparison of
  internationalized strings (PRECIS) framework, RFC 7564, obsoletes RFC
  3454, and this document obsoletes RFC 7613.

Status of This Memo

  This Internet-Draft is submitted in full conformance with the
  provisions of BCP 78 and BCP 79.

  Internet-Drafts are working documents of the Internet Engineering
  Task Force (IETF).  Note that other groups may also distribute
  working documents as Internet-Drafts.  The list of current Internet-
  Drafts is at http://datatracker.ietf.org/drafts/current/.

  Internet-Drafts are draft documents valid for a maximum of six months
  and may be updated, replaced, or obsoleted by other documents at any
  time.  It is inappropriate to use Internet-Drafts as reference
  material or to cite them other than as "work in progress."

  This Internet-Draft will expire on March 9, 2017.

Copyright Notice

  Copyright (c) 2016 IETF Trust and the persons identified as the
  document authors.  All rights reserved.

  This document is subject to BCP 78 and the IETF Trust's Legal
  Provisions Relating to IETF Documents
  (http://trustee.ietf.org/license-info) in effect on the date of
  publication of this document.  Please review these documents

Saint-Andre & Melnikov    Expires March 9, 2017                [Page 1]
Internet-Draft      PRECIS: Usernames and Passwords      September 2016

  carefully, as they describe your rights and restrictions with respect
  to this document.  Code Components extracted from this document must
  include Simplified BSD License text as described in Section 4.e of
  the Trust Legal Provisions and are provided without warranty as
  described in the Simplified BSD License.

Table of Contents

  1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .  3
  2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .  4
  3.  Usernames . . . . . . . . . . . . . . . . . . . . . . . . . .  5
    3.1.  Definition  . . . . . . . . . . . . . . . . . . . . . . .  5
    3.2.  UsernameCaseMapped Profile  . . . . . . . . . . . . . . .  6
      3.2.1.  Rules . . . . . . . . . . . . . . . . . . . . . . . .  6
      3.2.2.  Preparation . . . . . . . . . . . . . . . . . . . . .  6
      3.2.3.  Enforcement . . . . . . . . . . . . . . . . . . . . .  7
      3.2.4.  Comparison  . . . . . . . . . . . . . . . . . . . . .  7
    3.3.  UsernameCasePreserved Profile . . . . . . . . . . . . . .  7
      3.3.1.  Rules . . . . . . . . . . . . . . . . . . . . . . . .  7
      3.3.2.  Preparation . . . . . . . . . . . . . . . . . . . . .  8
      3.3.3.  Enforcement . . . . . . . . . . . . . . . . . . . . .  8
      3.3.4.  Comparison  . . . . . . . . . . . . . . . . . . . . .  8
    3.4.  Case Mapping vs. Case Preservation  . . . . . . . . . . .  8
    3.5.  Application-Layer Constructs  . . . . . . . . . . . . . .  10
    3.6.  Examples  . . . . . . . . . . . . . . . . . . . . . . . .  10
  4.  Passwords . . . . . . . . . . . . . . . . . . . . . . . . . .  12
    4.1.  Definition  . . . . . . . . . . . . . . . . . . . . . . .  12
    4.2.  OpaqueString Profile  . . . . . . . . . . . . . . . . . .  13
      4.2.1.  Preparation . . . . . . . . . . . . . . . . . . . . .  13
      4.2.2.  Enforcement . . . . . . . . . . . . . . . . . . . . .  13
      4.2.3.  Comparison  . . . . . . . . . . . . . . . . . . . . .  14
    4.3.  Examples  . . . . . . . . . . . . . . . . . . . . . . . .  14
  5.  Use in Application Protocols  . . . . . . . . . . . . . . . .  15
  6.  Migration . . . . . . . . . . . . . . . . . . . . . . . . . .  16
    6.1.  Usernames . . . . . . . . . . . . . . . . . . . . . . . .  16
    6.2.  Passwords . . . . . . . . . . . . . . . . . . . . . . . .  17
  7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  18
    7.1.  UsernameCaseMapped Profile  . . . . . . . . . . . . . . .  18
    7.2.  UsernameCasePreserved Profile . . . . . . . . . . . . . .  19
    7.3.  OpaqueString Profile  . . . . . . . . . . . . . . . . . .  20
    7.4.  Stringprep Profile  . . . . . . . . . . . . . . . . . . .  20
  8.  Security Considerations . . . . . . . . . . . . . . . . . . .  20
    8.1.  Password/Passphrase Strength  . . . . . . . . . . . . . .  20
    8.2.  Identifier Comparison . . . . . . . . . . . . . . . . . .  21
    8.3.  Reuse of PRECIS . . . . . . . . . . . . . . . . . . . . .  21
    8.4.  Reuse of Unicode  . . . . . . . . . . . . . . . . . . . .  21
  9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  21
    9.1.  Normative References  . . . . . . . . . . . . . . . . . .  21

Saint-Andre & Melnikov    Expires March 9, 2017                [Page 2]
Internet-Draft      PRECIS: Usernames and Passwords      September 2016

    9.2.  Informative References  . . . . . . . . . . . . . . . . .  22
  Appendix A.  Differences from RFC 7613  . . . . . . . . . . . . .  24
  Appendix B.  Acknowledgements . . . . . . . . . . . . . . . . . .  24
  Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  24

1.  Introduction

  Usernames and passwords are widely used for authentication and
  authorization on the Internet, either directly when provided in
  plaintext (as in the PLAIN Simple Authentication and Security Layer
  (SASL) mechanism [RFC4616] and the HTTP Basic scheme [RFC7617]) or
  indirectly when provided as the input to a cryptographic algorithm
  such as a hash function (as in the Salted Challenge Response
  Authentication Mechanism (SCRAM) SASL mechanism [RFC5802] and the
  HTTP Digest scheme [RFC7616]).

  To increase the likelihood that the input and comparison of usernames
  and passwords will work in ways that make sense for typical users
  throughout the world, this document defines rules for preparing,
  enforcing, and comparing internationalized strings that represent
  usernames and passwords.  Such strings consist of characters from the
  Unicode character set [Unicode], with special attention to characters
  outside the ASCII range [RFC20].  The rules for handling such strings
  are specified through profiles of the string classes defined in the
  preparation, enforcement, and comparison of internationalized strings
  (PRECIS) framework specification [RFC7564].

  Profiles of the PRECIS framework enable software to handle Unicode
  characters outside the ASCII range in an automated way, so that such
  characters are treated carefully and consistently in application
  protocols.  In large measure, these profiles are designed to protect
  application developers from the potentially negative consequences of
  supporting the full range of Unicode characters.  For instance, in
  almost all application protocols it would be dangerous to treat the
  Unicode character SUPERSCRIPT ONE (U+00B9) as equivalent to DIGIT ONE
  (U+0031), because that would result in false positives during
  comparison, authentication, and authorization (e.g., an attacker
  could easy spoof an account "user1@example.com").

  Whereas a naive use of Unicode would make such attacks trivially
  easy, the PRECIS profile defined here for usernames generally
  protects applications from inadvertently causing such problems.
  (Similar considerations apply to passwords, although here it is
  desirable to support a wider range of characters so as to maximize
  entropy for purposes of authentication.)

  The methods defined here might be applicable wherever usernames or
  passwords are used.  However, the methods are not intended for use in

Saint-Andre & Melnikov    Expires March 9, 2017                [Page 3]
Internet-Draft      PRECIS: Usernames and Passwords      September 2016

  preparing strings that are not usernames (e.g., Lightweight Directory
  Access Protocol (LDAP) distinguished names), nor in cases where
  identifiers or secrets are not strings (e.g., keys and certificates)
  or require specialized handling.

  This document obsoletes RFC 4013 (the SASLprep profile of stringprep
  [RFC3454]) but can be used by technologies other than SASL [RFC4422],
  such as HTTP authentication as specified in [RFC7617] and [RFC7616].

  This document does not modify the handling of internationalized
  strings in usernames and passwords as prescribed by existing
  application protocols that use SASLprep.  If the community that uses
  such an application protocol wishes to modernize its handling of
  internationalized strings to use PRECIS instead of stringprep, it
  needs to explicitly update the existing application protocol
  definition (one example is [RFC7622].  Non-coordinated updates to
  protocol implementations are discouraged because they can have a
  negative impact on interoperability and security.

2.  Terminology

  Many important terms used in this document are defined in [RFC5890],
  [RFC6365], [RFC7564], and [Unicode].  The term "non-ASCII space&