6 INTERNET-DRAFT Kurt D. Zeilenga
7 Intended Category: Standards Track OpenLDAP Foundation
8 Expires: September 2004 22 March 2004
11 SASLprep: Stringprep profile for user names and passwords
12 <draft-ietf-sasl-saslprep-07.txt>
17 This document is an Internet-Draft and is in full conformance with all
18 provisions of Section 10 of RFC 2026.
20 This document is intended to be, after appropriate review and
21 revision, submitted to the RFC Editor as a Standards Track document.
22 Distribution of this memo is unlimited. Technical discussion of this
23 document will take place on the IETF SASL mailing list
24 <ietf-sasl@imc.org>. Please send editorial comments directly to the
25 document editor <Kurt@OpenLDAP.org>.
27 Internet-Drafts are working documents of the Internet Engineering Task
28 Force (IETF), its areas, and its working groups. Note that other
29 groups may also distribute working documents as Internet-Drafts.
30 Internet-Drafts are draft documents valid for a maximum of six months
31 and may be updated, replaced, or obsoleted by other documents at any
32 time. It is inappropriate to use Internet-Drafts as reference
33 material or to cite them other than as ``work in progress.''
35 The list of current Internet-Drafts can be accessed at
36 <http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
37 Internet-Draft Shadow Directories can be accessed at
38 <http://www.ietf.org/shadow.html>.
40 Copyright (C) The Internet Society (2004). All Rights Reserved.
42 Please see the Full Copyright section near the end of this document
48 This document describes how to prepare Unicode strings representing
49 user names and passwords for comparison. The document defines the
50 "SASLprep" profile of the "stringprep" algorithm to be used for both
51 user names and passwords. This profile is intended to be used by
52 Simple Authentication and Security Layer (SASL) mechanisms (such as
53 PLAIN, CRAM-MD5, and DIGEST-MD5) as well as other protocols exchanging
57 Zeilenga SASLprep [Page 1]
59 INTERNET-DRAFT draft-ietf-sasl-saslprep-07.txt 22 March 2004
62 simple user names and/or passwords.
67 The use of simple user names and passwords in authentication and
68 authorization is pervasive on the Internet. To increase the
69 likelihood that user name and password input and comparison work in
70 ways that make sense for typical users throughout the world, this
71 document defines rules for preparing internationalized user names and
72 passwords for comparison. For simplicity and implementation ease, a
73 single algorithm is defined for both user names and passwords.
75 The algorithm assumes all strings are comprised of characters from the
76 Unicode character set.
78 This document defines the "SASLprep" profile of the "stringprep"
79 algorithm [StringPrep].
81 The profile is designed for use in Simple Authentication and Security
82 Layer ([SASL]) mechanisms such as [PLAIN]. It may be applicable
83 elsewhere simple user names and passwords are used. This profile is
84 not intended to be used to prepare identity strings which are not
85 simple user names (e.g., e-mail addresses, domain names, distinguished
86 names), or where identity or password strings which are not character
90 2. The SASLprep profile
92 This section defines the "SASLprep" profile of the "stringprep"
93 algorithm [StringPrep]. This profile is intended to be used to
94 prepare strings representing simple user names and passwords.
96 This profile uses Unicode 3.2 [Unicode].
98 Character names in this document use the notation for code points and
99 names from the Unicode Standard [Unicode]. For example, the letter
100 "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
101 In the lists of mappings and the prohibited characters, the "U+" is
102 left off to make the lists easier to read. The comments for character
103 ranges are shown in square brackets (such as "[CONTROL CHARACTERS]")
104 and do not come from the standard.
106 Note: a glossary of terms used in Unicode can be found in [Glossary].
107 Information on the Unicode character encoding model can be found in
113 Zeilenga SASLprep [Page 2]
115 INTERNET-DRAFT draft-ietf-sasl-saslprep-07.txt 22 March 2004
120 This profile specifies:
121 - non-ASCII space characters [StringPrep, C.1.2] be mapped to SPACE
124 - the "commonly mapped to nothing" characters [StringPrep, B.1] be
131 This profile specifies using Unicode normalization form KC, as
132 described in Section 4 of [StringPrep].
135 2.3. Prohibited Output
137 This profile specifies the following characters:
139 - Non-ASCII space characters [StringPrep, C.1.2],
140 - ASCII control characters [StringPrep, C.2.1],
141 - Non-ASCII control characters [StringPrep, C.2.2],
142 - Private Use [StringPrep, C.3],
143 - Non-character code points [StringPrep, C.4],
144 - Surrogate code points [StringPrep, C.5],
145 - Inappropriate for plain text [StringPrep, C.6],
146 - Inappropriate for canonical representation [StringPrep, C.7],
147 - Change display properties or are deprecated [StringPrep, C.8], and
148 - Tagging characters [StringPrep, C.9].
150 are prohibited output.
153 2.4. Bidirectional characters
155 This profile specifies checking bidirectional strings as described in
156 [StringPrep, Section 6].
159 2.5. Unassigned Code Points
161 This profile specifies [StringPrep, A.1] table as its list of
162 unassigned code points.
165 3. Security Considerations
169 Zeilenga SASLprep [Page 3]
171 INTERNET-DRAFT draft-ietf-sasl-saslprep-07.txt 22 March 2004
174 This profile is intended to used to prepare simple user names and
175 passwords strings for comparison or use in cryptographic functions
176 (e.g., message digests). The preparation algorithm is specifically
177 designed such that its output is canonical.
179 It is not intended to be used for to prepare identity strings which
180 are not simple user names (e.g., distinguished names and domain
181 names). Nor is the profile intended to be used for simple user names
182 which require different handling. Protocols (or applications of those
183 protocols) which have application-specific identity forms and/or
184 comparison algorithms should use mechanisms specifically designed for
185 these forms and algorithms.
187 Application of string preparation may have an impact upon the
188 feasibility of brute force and dictionary attacks. While the number
189 of possible prepared strings is less than the number of possible
190 Unicode strings, the number of usable names and passwords is greater
191 than if only ASCII was used. Though SASLprep eliminates some of
192 Unicode code point sequences as possible prepared strings, that
193 elimination generally makes the (canonical) output forms practicable
194 and prohibits nonsensical inputs.
196 User names and passwords should be protected from eavesdropping.
198 General "stringprep" and Unicode security considerations apply. Both
199 are discussed in [StringPrep].
202 4. IANA Considerations
204 This document details the "SASLprep" profile of [StringPrep] protocol.
205 Upon Standards Action the profile should be registered in the
206 stringprep profile registry.
208 Name of this profile: SASLprep
209 RFC in which the profile is defined: This RFC
210 Indicator whether or not this is the newest version of the
211 profile: This is the first version of the SASPprep profile.
216 This document borrows text from "Preparation of Internationalized
217 Strings ('stringprep')" and "Nameprep: A Stringprep Profile for
218 Internationalized Domain Names", both by Paul Hoffman and Marc
221 This document is a product of the IETF SASL WG.
225 Zeilenga SASLprep [Page 4]
227 INTERNET-DRAFT draft-ietf-sasl-saslprep-07.txt 22 March 2004
230 6. Normative References
232 [StringPrep] Hoffman P. and M. Blanchet, "Preparation of
233 Internationalized Strings ('stringprep')",
234 draft-hoffman-rfc3454bis-xx.txt, a work in progress.
236 [SASL] Melnikov, A. (Editor), "Simple Authentication and
237 Security Layer (SASL)",
238 draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.
240 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
241 3.2.0" is defined by "The Unicode Standard, Version 3.0"
242 (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
243 as amended by the "Unicode Standard Annex #27: Unicode
244 3.1" (http://www.unicode.org/reports/tr27/) and by the
245 "Unicode Standard Annex #28: Unicode 3.2"
246 (http://www.unicode.org/reports/tr28/).
249 7. Informative References
251 [Glossary] The Unicode Consortium, "Unicode Glossary",
252 <http://www.unicode.org/glossary/>.
254 [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
255 #17, Character Encoding Model", UTR17,
256 <http://www.unicode.org/unicode/reports/tr17/>, August
259 [CRAM-MD5] Nerenberg, L., "The CRAM-MD5 SASL Mechanism",
260 draft-ietf-sasl-crammd5-xx.txt, a work in progress.
262 [DIGEST-MD5] Leach, P., C. Newman, and A. Melnikov, "Using Digest
263 Authentication as a SASL Mechanism",
264 draft-ietf-sasl-rfc2831bis-xx.txt, a work in progress.
266 [PLAIN] Zeilenga, K. (Editor), "The Plain SASL Mechanism",
267 draft-ietf-sasl-plain-xx.txt, a work in progress.
275 Email: Kurt@OpenLDAP.org
281 Zeilenga SASLprep [Page 5]
283 INTERNET-DRAFT draft-ietf-sasl-saslprep-07.txt 22 March 2004
286 Intellectual Property Rights
288 The IETF takes no position regarding the validity or scope of any
289 Intellectual Property Rights or other rights that might be claimed to
290 pertain to the implementation or use of the technology described in
291 this document or the extent to which any license under such rights
292 might or might not be available; nor does it represent that it has
293 made any independent effort to identify any such rights. Information
294 on the procedures with respect to rights in RFC documents can be found
295 in BCP 78 and BCP 79.
297 Copies of IPR disclosures made to the IETF Secretariat and any
298 assurances of licenses to be made available, or the result of an
299 attempt made to obtain a general license or permission for the use of
300 such proprietary rights by implementers or users of this specification
301 can be obtained from the IETF on-line IPR repository at
302 http://www.ietf.org/ipr.
304 The IETF invites any interested party to bring to its attention any
305 copyrights, patents or patent applications, or other proprietary
306 rights that may cover technology that may be required to implement
307 this standard. Please address the information to the IETF at ietf-
313 Copyright (C) The Internet Society (2004). This document is subject
314 to the rights, licenses and restrictions contained in BCP 78 and
315 except as set forth therein, the authors retain all their rights.
317 This document and the information contained herein are provided on an
318 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
319 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
320 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
321 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
322 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
323 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
337 Zeilenga SASLprep [Page 6]