Issues in Identifier Comparison for Security Purposes
RFC 6943
Document Type RFC - Informational (May 2013; No errata)
Author Dave Thaler 
Last updated 2013-05-09
Stream IAB
Formats plain text html pdf htmlized bibtex
Stream IAB state Published RFC
Consensus Boilerplate Unknown
RFC Editor Note (None)
Email authors IPR References Referenced by Nits 
Internet Architecture Board (IAB)                         D. Thaler, Ed.
Request for Comments: 6943                                     Microsoft
Category: Informational                                         May 2013
ISSN: 2070-1721

         Issues in Identifier Comparison for Security Purposes

Abstract

   Identifiers such as hostnames, URIs, IP addresses, and email
   addresses are often used in security contexts to identify security
   principals and resources.  In such contexts, an identifier presented
   via some protocol is often compared using some policy to make
   security decisions such as whether the security principal may access
   the resource, what level of authentication or encryption is required,
   etc.  If the parties involved in a security decision use different
   algorithms to compare identifiers, then failure scenarios ranging
   from denial of service to elevation of privilege can result.  This
   document provides a discussion of these issues that designers should
   consider when defining identifiers and protocols, and when
   constructing architectures that use multiple protocols.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Architecture Board (IAB)
   and represents information that the IAB has deemed valuable to
   provide for permanent record.  It represents the consensus of the
   Internet Architecture Board (IAB).  Documents approved for
   publication by the IAB are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6943.

Thaler                        Informational                     [Page 1]
RFC 6943                  Identifier Comparison                 May 2013

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1. Introduction ....................................................3
      1.1. Classes of Identifiers .....................................5
      1.2. Canonicalization ...........................................5
   2. Identifier Use in Security Policies and Decisions ...............6
      2.1. False Positives and Negatives ..............................7
      2.2. Hypothetical Example .......................................8
   3. Comparison Issues with Common Identifiers .......................9
      3.1. Hostnames ..................................................9
           3.1.1. IPv4 Literals ......................................11
           3.1.2. IPv6 Literals ......................................12
           3.1.3. Internationalization ...............................13
           3.1.4. Resolution for Comparison ..........................14
      3.2. Port Numbers and Service Names ............................14
      3.3. URIs ......................................................15
           3.3.1. Scheme Component ...................................16
           3.3.2. Authority Component ................................16
           3.3.3. Path Component .....................................17
           3.3.4. Query Component ....................................17
           3.3.5. Fragment Component .................................17
           3.3.6. Resolution for Comparison ..........................18
      3.4. Email Address-Like Identifiers ............................18
   4. General Issues .................................................19
      4.1. Conflation ................................................19
      4.2. Internationalization ......................................20
      4.3. Scope .....................................................21
      4.4. Temporality ...............................................21
   5. Security Considerations ........................................22
   6. Acknowledgements ...............................................22
   7. IAB Members at the Time of Approval ............................23
   8. Informative References .........................................23

Thaler                        Informational                     [Page 2]
RFC 6943                  Identifier Comparison                 May 2013

1.  Introduction

   In computing and the Internet, various types of "identifiers" are
   used to identify humans, devices, content, etc.  This document
   provides a discussion of some security issues that designers should
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools