Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    precis mailing list <>,
    precis chair <>
Subject: Protocol Action: 'Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords' to Proposed Standard (draft-ietf-precis-saslprepbis-18.txt)

The IESG has approved the following document:
- 'Preparation, Enforcement, and Comparison of Internationalized Strings
   Representing Usernames and Passwords'
  (draft-ietf-precis-saslprepbis-18.txt) as Proposed Standard

This document is the product of the Preparation and Comparison of
Internationalized Strings Working Group.

The IESG contact persons are Ben Campbell, Barry Leiba and Alissa Cooper.

A URL of this Internet Draft is:

Technical Summary
This document describes methods for handling internationalized
usernames and passwords. It provides for a more sustainable approach
than SASLprep (RFC 4013) by leveraging the PRECIS framework; this
includes better adaptability to future versions of Unicode. While
oriented toward SASL authentication schemes, the methods in this
document can be applied to other schemes, such as HTTP-based

Review and Consensus
This document received wide review, including input from individuals
in the KITTEN and HTTP-AUTH Working Groups, and spanned at least two
Working Group Last Calls.  The consensus in the PRECIS Working Group
is to publish this document.

One of the major points of concern was how to handle case mapping in
usernames. In some protocols the case is significant, others it is
not. To address this concern, the consensus was to define two profiles
for usernames that protocols and applications are expected to choose
exactly one of: UsernameCaseMapped for when case is not significant,
and UsernameCasePreserved for when case is significant.

The other major point of concern was how to deal with changes to the
Unicode specifications (e.g., draft-klensin-idna-5892upd-unicode70).
This concern is not specific to this document -- or even to the PRECIS
Working Group -- but is relevant to all IETF technologies dealing with
internationalized text (e.g., IDNA2008 and PRECIS).  The issues are
complex and the IETF has not yet developed mitigations.  The rough
consensus of the Working Group was to proceed with the PRECIS work as
it stands since it is considered a significant improvement over the
Stringprep-based approach, and to address these issues more
comprehensively once future mitigations have been developed.

Matthew Miller is the document shepherd, and Barry Leiba is the
responsible AD.