SASLprep: Stringprep Profile for User Names and Passwords
RFC 4013
Document Type RFC - Proposed Standard (March 2005; Errata)
Obsoleted by RFC 7613
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4013 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                        K. Zeilenga
Request for Comments: 4013                           OpenLDAP Foundation
Category: Standards Track                                  February 2005

       SASLprep: Stringprep Profile for User Names and Passwords

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes how to prepare Unicode strings representing
   user names and passwords for comparison.  The document defines the
   "SASLprep" profile of the "stringprep" algorithm to be used for both
   user names and passwords.  This profile is intended to be used by
   Simple Authentication and Security Layer (SASL) mechanisms (such as
   PLAIN, CRAM-MD5, and DIGEST-MD5), as well as other protocols
   exchanging simple user names and/or passwords.

1.  Introduction

   The use of simple user names and passwords in authentication and
   authorization is pervasive on the Internet.  To increase the
   likelihood that user name and password input and comparison work in
   ways that make sense for typical users throughout the world, this
   document defines rules for preparing internationalized user names and
   passwords for comparison.  For simplicity and implementation ease, a
   single algorithm is defined for both user names and passwords.

   The algorithm assumes all strings are comprised of characters from
   the Unicode [Unicode] character set.

   This document defines the "SASLprep" profile of the "stringprep"
   algorithm [StringPrep].

   The profile is designed for use in Simple Authentication and Security
   Layer ([SASL]) mechanisms, such as [PLAIN], [CRAM-MD5], and
   [DIGEST-MD5].  It may be applicable where simple user names and

Zeilenga                    Standards Track                     [Page 1]
RFC 4013                        SASLprep                   February 2005

   passwords are used.  This profile is not intended for use in
   preparing identity strings that are not simple user names (e.g.,
   email addresses, domain names, distinguished names), or where
   identity or password strings that are not character data, or require
   different handling (e.g., case folding).

   This document does not alter the technical specification of any
   existing protocols.  Any specification that wishes to use the
   algorithm described in this document needs to explicitly incorporate
   this document and provide precise details as to where and how this
   algorithm is used by implementations of that specification.

2.  The SASLprep Profile

   This section defines the "SASLprep" profile of the "stringprep"
   algorithm [StringPrep].  This profile is intended for use in
   preparing strings representing simple user names and passwords.

   This profile uses Unicode 3.2 [Unicode].

   Character names in this document use the notation for code points and
   names from the Unicode Standard [Unicode].  For example, the letter
   "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
   In the lists of mappings and the prohibited characters, the "U+" is
   left off to make the lists easier to read.  The comments for
   character ranges are shown in square brackets (such as "[CONTROL
   CHARACTERS]") and do not come from the standard.

   Note: A glossary of terms used in Unicode can be found in [Glossary].
   Information on the Unicode character encoding model can be found in
   [CharModel].

2.1.  Mapping

   This profile specifies:

      -  non-ASCII space characters [StringPrep, C.1.2] that can be
         mapped to SPACE (U+0020), and

      -  the "commonly mapped to nothing" characters [StringPrep, B.1]
         that can be mapped to nothing.

2.2.  Normalization

   This profile specifies using Unicode normalization form KC, as
   described in Section 4 of [StringPrep].

Zeilenga                    Standards Track                     [Page 2]
RFC 4013                        SASLprep                   February 2005

2.3.  Prohibited Output

   This profile specifies the following characters as prohibited input:

      - Non-ASCII space characters [StringPrep, C.1.2]
      - ASCII control characters [StringPrep, C.2.1]
      - Non-ASCII control characters [StringPrep, C.2.2]
      - Private Use characters [StringPrep, C.3]
      - Non-character code points [StringPrep, C.4]
      - Surrogate code points [StringPrep, C.5]
      - Inappropriate for plain text characters [StringPrep, C.6]
      - Inappropriate for canonical representation characters
        [StringPrep, C.7]
      - Change display properties or deprecated characters
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools