Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: RFC Editor <firstname.lastname@example.org>, precis mailing list <email@example.com>, precis chair <firstname.lastname@example.org> Subject: Protocol Action: 'Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords' to Proposed Standard (draft-ietf-precis-saslprepbis-18.txt) The IESG has approved the following document: - 'Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords' (draft-ietf-precis-saslprepbis-18.txt) as Proposed Standard This document is the product of the Preparation and Comparison of Internationalized Strings Working Group. The IESG contact persons are Ben Campbell, Barry Leiba and Alissa Cooper. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-precis-saslprepbis/
Technical Summary This document describes methods for handling internationalized usernames and passwords. It provides for a more sustainable approach than SASLprep (RFC 4013) by leveraging the PRECIS framework; this includes better adaptability to future versions of Unicode. While oriented toward SASL authentication schemes, the methods in this document can be applied to other schemes, such as HTTP-based authentication. Review and Consensus This document received wide review, including input from individuals in the KITTEN and HTTP-AUTH Working Groups, and spanned at least two Working Group Last Calls. The consensus in the PRECIS Working Group is to publish this document. One of the major points of concern was how to handle case mapping in usernames. In some protocols the case is significant, others it is not. To address this concern, the consensus was to define two profiles for usernames that protocols and applications are expected to choose exactly one of: UsernameCaseMapped for when case is not significant, and UsernameCasePreserved for when case is significant. The other major point of concern was how to deal with changes to the Unicode specifications (e.g., draft-klensin-idna-5892upd-unicode70). This concern is not specific to this document -- or even to the PRECIS Working Group -- but is relevant to all IETF technologies dealing with internationalized text (e.g., IDNA2008 and PRECIS). The issues are complex and the IETF has not yet developed mitigations. The rough consensus of the Working Group was to proceed with the PRECIS work as it stands since it is considered a significant improvement over the Stringprep-based approach, and to address these issues more comprehensively once future mitigations have been developed. Personnel Matthew Miller is the document shepherd, and Barry Leiba is the responsible AD.