Network Working Group M. Duerst
Internet-Draft W3C
Expires: May 5, 2003 M. Suignard
Microsoft Corporation
November 4, 2002
Internationalized Resource Identifiers (IRIs)
draft-duerst-iri-02
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 5, 2003.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document defines a new protocol element, the Internationalized
Resource Identifier (IRI), as a complement to the URI [RFC2396]. An
IRI is a sequence of characters from the Universal Character Set
[ISO10646]. A mapping from IRIs to URIs is defined, which means that
IRIs can be used instead of URIs where appropriate to identify
resources.
The approach of defining a new protocol element was chosen, instead
of extending or changing the definition of URIs, to allow a clear
distinction and to avoid incompatibilities with existing software.
Duerst & Suignard Expires May 5, 2003 [Page 1]
Internet-Draft Internationalized Resource Identifiers November 2002
Guidelines for the use and deployment of IRIs in various protocols,
formats, and software components that now deal with URIs are
provided.
NOTE
This document is a product of the Internationalization Working Group
(I18N WG) of the World Wide Web Consortium (W3C). For general
discussion, please use the www-international@w3.org mailing list
(publicly archived at http://lists.w3.org/Archives/Public/www-
international/). For more information on the topic of this document,
please also see [W3CIRI] and [Duer01].
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Overview and Motivation . . . . . . . . . . . . . . . . . . . 4
1.2 Applicability . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2. IRI Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1 Summary of IRI Syntax . . . . . . . . . . . . . . . . . . . . 7
2.2 ABNF for IRI References and IRIs . . . . . . . . . . . . . . . 7
2.3 IRI Equivalence and Normalization . . . . . . . . . . . . . . 10
3. Relationship between IRIs and URIs . . . . . . . . . . . . . . 12
3.1 Mapping of IRIs to URIs . . . . . . . . . . . . . . . . . . . 12
3.2 Converting URIs to IRIs . . . . . . . . . . . . . . . . . . . 14
4. Bidirectional IRIs for Right-to-left Languages . . . . . . . . 15
4.1 Logical Storage and Visual Presentation . . . . . . . . . . . 15
4.2 Bidi IRI Structure . . . . . . . . . . . . . . . . . . . . . . 16
4.3 Input of Bidi IRIs . . . . . . . . . . . . . . . . . . . . . . 17
4.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5. Use of IRIs . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.1 Limitations on UCS Characters Allowed in IRIs . . . . . . . . 19
5.2 Software Interfaces and Protocols . . . . . . . . . . . . . . 20
5.3 Format of URIs and IRIs in Documents and Protocols . . . . . . 20
5.4 Relative IRI References . . . . . . . . . . . . . . . . . . . 21
6. URI/IRI Processing Guidelines (informative) . . . . . . . . . 21
6.1 URI/IRI Software Interfaces . . . . . . . . . . . . . . . . . 21
6.2 URI/IRI Entry . . . . . . . . . . . . . . . . . . . . . . . . 21
6.3 URI/IRI Transfer Between Applications . . . . . . . . . . . . 22
6.4 URI/IRI Generation . . . . . . . . . . . . . . . . . . . . . . 23
6.5 URI/IRI Selection . . . . . . . . . . . . . . . . . . . . . . 23
6.6 Display of URIs/IRIs . . . . . . . . . . . . . . . . . . . . . 24
6.7 Interpretation of URIs and IRIs . . . . . . . . . . . . . . . 24
6.8 Upgrading Strategy . . . . . . . . . . . . . . . . . . . . . . 25
7. Security Considerations . . . . . . . . . . . . . . . . . . . 26
8. Change log . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Duerst & Suignard Expires May 5, 2003 [Page 2]
Internet-Draft Internationalized Resource Identifiers November 2002
8.1 Changes from -01 to -02 . . . . . . . . . . . . . . . . . . . 27
8.2 Changes from -00 to -01 . . . . . . . . . . . . . . . . . . . 27
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27
Normative References . . . . . . . . . . . . . . . . . . . . . 28
Non-normative References . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 31
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 32
Duerst & Suignard Expires May 5, 2003 [Page 3]
Internet-Draft Internationalized Resource Identifiers November 2002
1. Introduction
1.1 Overview and Motivation
A URI is defined in [RFC2396] as a sequence of characters chosen from
a limited subset of the repertoire of US-ASCII characters.
The characters in URIs are frequently used for representing words of
natural languages. Such usage has many advantages: such URIs are
easier to memorize, easier to interpret, easier to transcribe, easier
to create, and easier to guess. For most languages other than
English, however, the natural script uses characters other than A-Z.
For many people, handling Latin characters is as difficult as
handling the characters of other scripts is for people who use only
the Latin alphabet. Many languages with non-Latin scripts do have
transcriptions to Latin letters and such transcriptions are now often
used in URIs, but they introduce additional ambiguities.
The infrastructure for the appropriate handling of characters from
local scripts is now widely deployed in local versions of operating
system and application software. Software that can handle a wide
variety of scripts and languages at the same time is increasingly
widespread. Also, there are increasing numbers of protocols and
formats that can carry a wide range of characters.
This document defines a new protocol element, called IRI
(Internationalized Resource Identifier), by extending the syntax of
URIs to a much wider repertoire of characters. It also defines
"internationalized" versions corresponding to other constructs from
[RFC2396], such as URI references.
Using characters outside of A-Z in IRIs brings with it some
difficulties; a discussion of potential problems and workarounds can
be found in the later sections of this document.
1.2 Applicability
IRIs are designed to be compatible with recent recommendations on URI
syntax [RFC2718]. The compatibility is provided by providing a well
defined and deterministic mapping from the IRI character sequence to
the functionally equivalent URI character sequence. Practical use of
IRIs (or IRI references) in place of URIs (or URI references) depends
on the following conditions being met:
a) The protocol or format element used should be explicitly
designated to carry IRIs. That is, the intent is not to
introduce IRIs into contexts that are not defined to accept
them. For example, XML schema [XMLSchema] has an explicit type
Duerst & Suignard Expires May 5, 2003 [Page 4]
Internet-Draft Internationalized Resource Identifiers November 2002
"anyURI" that designates the use of IRIs.
b) The protocol or format carrying the IRIs should have a
mechanism to represent the wide range of characters used in
IRIs, either natively or by some protocol- or format-specific
escaping mechanism (for example numeric character references in
[XML1]).
c) Either by definition for all the URIs of a specific URI scheme,
or a specific part of a URI (Reference), such as the fragment
identifier, or at least for some specific URIs of a given
scheme, the encoding of non-ASCII characters should be based on
UTF-8. For new URI schemes, this is recommended in [RFC2718].
This allows IRIs to be used with the URN syntax [RFC2141] as
well as recent URL scheme definitions based on UTF-8, such as
IMAP URLs [RFC2192] and POP URLs [RFC2384].
In cases and for pieces where an encoding other than UTF-8 is used,
and for raw binary data encoded in URIs (see [RFC2397]), the octets
have to be %-escaped. In these situations, the ability of IRIs to
directly represent a wide character repertoire cannot be used.
For example, for a document with a URI of http://www.example.org/
r%C3%A9sum%C3%A9.html, it is possible to construct a corresponding
IRI (in XML notation): http://www.example.org/résumé.html
(é stands for the e-acute character, and is the UTF-8 encoded
and escaped representation of that character). On the other hand,
for a document with an URI of http://www.example.org/r%e9sum%e9.html,
the escaped octets cannot be converted to actual characters in an
IRI, because the escaping is based on iso-8859-1 rather than UTF-8.
1.3 Definitions
The following definitions are used in this document; they follow the
terms in [RFC2130], [RFC2277] and [ISO10646]:
character: A member of a set of elements used for the
organization, control, or representation of data. For example,
"LATIN CAPITAL LETTER A" names a character.
octet: an ordered sequence of eight bits considered as a unit
character repertoire: A set of characters (in the mathematical
sense)
sequence of characters: A sequence (one after another) of
characters
Duerst & Suignard Expires May 5, 2003 [Page 5]
Internet-Draft Internationalized Resource Identifiers November 2002
sequence of octets: A sequence (one after another) of octets
(character) encoding: A method of representing a sequence of
characters as a sequence of octets (maybe with variants). A
method of (unambiguously) converting a sequence of octets into
a sequence of characters.
code point: A placeholder for a character in a character encoding,
for example to encode additional characters in future versions
of the character encoding.
charset: The name of a parameter or attribute used to identify a
character encoding.
UCS: Universal Character Set; the coded character set defined by
[ISO10646] and [UNIV3].
IRI reference: The term "IRI reference" denotes the common usage
of an internationalized resource identifier. An IRI reference
may be absolute or relative, and may have additional
information attached in the form of a fragement identifier.
However, the "IRI" that results from such a reference only
includes the absolute IRI after fragment identifier (if any) is
removed and after any relative IRI is resolved to its absolute
form.
1.4 Notation
In text, characters outside US-ASCII are sometimes referenced by
using a prefix of 'U+', followed by four to six hexadecimal digits.
To represent characters outside US-ASCII in examples, this document
uses two notations called 'XML Notation' and 'Bidi Notation'.
XML Notation uses leading '&#x', trailing ';', and the hexadecimal
number of the character in the UCS in between. Example: я
stands for CYRILLIC CAPITAL LETTER YA. In this notation, an actual
'&' is denoted by '&'.
Bidi Notation is used for bidirectional examples: lower case ASCII
letters stand for Latin letters or other letters that are written
left-to-right, whereas upper case letters represent Arabic or Hebrew
letters that are written right-to-left.
2. IRI Syntax
This section defines the syntax of Internationalized Resource
Duerst & Suignard Expires May 5, 2003 [Page 6]
Internet-Draft Internationalized Resource Identifiers November 2002
Identifiers (IRIs).
As with URIs, an IRI is defined as a sequence of characters, not as a
sequence of octets. This definition accommodates the fact that IRIs
may be written on paper or read over the radio as well as being
transmitted over the network. The same IRI may be represented as
different sequences of octets in different protocols or documents if
these protocols or documents use different character encodings (and/
or transfer encodings). Using the same character encoding as the
containing protocol or document assures that the characters in the
IRI can be handled (searched, converted, displayed,...) in the same
way as the rest of the protocol or document.
2.1 Summary of IRI Syntax
IRIs are defined similarly to URIs in [RFC2396] (as modified by
[RFC2732] and [IDNURI]), but the class of unreserved characters is
extended by adding the characters of the UCS (Universal Character
Set, [ISO10646]) beyond U+0080, subject to the limitations given in
the syntax rules below and in Section 5.1.
Otherwise, the syntax and use of components and reserved characters
is the same as that in [RFC2396]. All the operations defined in
[RFC2396], such as the resolution of relative URIs, can be applied to
IRIs by IRI-processing software in exactly the same way as this is
done to URIs by URI-processing software.
Note: [RFC2396]: Uniform Resource Identifiers (URI): Generic Syntax"
is being revised as [RFC2396bis]. The syntax used in this document
includes bug fixes from [RFC2396bis].
Characters outside the US-ASCII range MUST NOT be used for
syntactical purposes such as to delimit components in newly defined
schemes. As an example, it is not allowed to use U+00A2, CENT SIGN,
as a delimiter in IRIs, because it is in the 'iunreserved' category,
in the same way as it is not possible to use '-' as a delimiter,
because it is in the 'unreserved' category in URIs.
2.2 ABNF for IRI References and IRIs
While it might be possible to define IRI references and IRIs merely
by their transformation to URI references and URIs, they can also be
accepted and processed directly. Therefore, an ABNF definition for
IRI references (which are the most general concept and the start of
the grammar) and IRIs is given here. The syntax of this ABNF is
described in [RFC2234]. Character numbers are taken from the UCS,
without implying any actual binary encoding.
Duerst & Suignard Expires May 5, 2003 [Page 7]
Internet-Draft Internationalized Resource Identifiers November 2002
The following rules are different from [RFC2396]:
absolute-IRI-reference = absolute-IRI [ "#" ifragment ]
IRI-reference = [ absolute-IRI / relative-IRI ]
[ "#" ifragment ]
absolute-IRI = scheme ":" ( ihier-part / iopaque-part )
relative-IRI = [ inet-path / iabs-path / irel-path ]
[ "?" iquery ]
ihier-part = [ inet-path / iabs-path ] [ "?" iquery ]
iopaque-part = iric-no-slash *iric
iric-no-slash = iunreserved / escaped / "[" / "]" / ";" / "?" /
":" / "@" / "&" / "=" / "+" / "$" / ","
inet-path = "//" iauthority [ iabs-path ]
iabs-path = "/" ipath-segments
irel-path = irel-segment [ iabs-path ]
irel-segment = 1*( iunreserved / escaped / ";" /
"@" / "&" / "=" / "+" / "$" / "," )
iauthority = iserver / ireg-name
ireg-name = 1*( iunreserved / escaped / ";" /
":" / "@" / "&" / "=" / "+" / "$" / "," )
iserver = [ [ iuserinfo "@" ] ihostport ]
iuserinfo = *( iunreserved / escaped / ";" /
":" / "&" / "=" / "+" / "$" / "," )
ihostport = ihost [ ":" port ]
ihost = IPv6reference / IPv4address / ihostname
ihostname = << as specified by [RFCXXXX] >>
ipath = [ iabs-path / iopaque-part ]
ipath-segments = isegment *( "/" isegment )
isegment = *ipchar
ipchar = iunreserved / escaped / ";" /
":" / "@" / "&" / "=" / "+" / "$" / ","
iquery = *( ipchar / "/" / "?" )
ifragment = *( ipchar / "/" / "?" )
iric = reserved / iunreserved / escaped
iunreserved = ichar / unreserved
Duerst & Suignard Expires May 5, 2003 [Page 8]
Internet-Draft Internationalized Resource Identifiers November 2002
ichar = idelims / ucschar / " " / "{" / "}" / "|"
/ "\" / "^" / "`"
idelims = "<" / ">" / DQUOTE
ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF /
/ %x10000-1FFFD / %x20000-2FFFD / %x30000-3FFFD
/ %x40000-4FFFD / %x50000-5FFFD / %x60000-6FFFD
/ %x70000-7FFFD / %x80000-8FFFD / %x90000-9FFFD
/ %xA0000-AFFFD / %xB0000-BFFFD / %xC0000-CFFFD
/ %xD0000-DFFFD / %xE1000-EFFFD
Note that the space character and various delimiters are allowed in
IRIs and IRI references. This is further discussed in Section 5.1.
Duerst & Suignard Expires May 5, 2003 [Page 9]
Internet-Draft Internationalized Resource Identifiers November 2002
The following are the same as [RFC2396bis]:
scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
port = *DIGIT
alphanum = ALPHA / DIGIT
IPv4address = dec-octet 3( "." dec-octet )
dec-octet = DIGIT / ; 0-9
( %x31-39 DIGIT ) / ; 10-99
( "1" 2*DIGIT ) / ; 100-199
( "2" %x30-34 DIGIT ) / ; 200-249
( "25" %x30-35 ) ; 250-255
IPv6reference = "[" IPv6address "]"
IPv6address = ( 7( h4 ":" ) h4 ) /
( "::" 0*6( h4 ":" ) [ h4 ] ) /
( h4 "::" 0*5( h4 ":" ) [ h4 ] ) /
( h4 ":" h4 "::" 0*4( h4 ":" ) [ h4 ] ) /
( h4 2( ":" h4 ) "::" 0*3( h4 ":" ) [ h4 ] ) /
( h4 3( ":" h4 ) "::" 0*2( h4 ":" ) [ h4 ] ) /
( h4 4( ":" h4 ) "::" 0*1( h4 ":" ) [ h4 ] ) /
( 6( h4 ":" ) IPv4address )/
( "::" 0*5( h4 ":" ) IPv4address )/
( h4 "::" 0*4( h4 ":" ) IPv4address )/
( h4 ":" h4 "::" 0*3( h4 ":" ) IPv4address )/
( h4 2( ":" h4 ) "::" 0*2( h4 ":" ) IPv4address )/
( h4 3( ":" h4 ) "::" 0*1( h4 ":" ) IPv4address )
h4 = 1*4HEXDIG
reserved = "[" / "]" / ";" / "/" / "?" /
":" / "@" / "&" / "=" / "+" / "$" / "," /
unreserved = ALPHA / DIGIT / mark
mark = "-" / "_" / "." / "!" / "~" / "*" / "'" /
"(" / ")"
escaped = "%" HEXDIG HEXDIG
2.3 IRI Equivalence and Normalization
There is no general rule or procedure to decide whether two arbitrary
IRIs are equivalent or not (i.e. refer to the same resource or not).
Two IRIs that look almost the same may refer to different resources.
Two IRIs that look completely different may refer to, and resolve to,
the same resource.
In some scenarios, such as XML Namespaces ([XMLNamespace]), a
definite answer to the question of IRI equivalence is needed that is
Duerst & Suignard Expires May 5, 2003 [Page 10]
Internet-Draft Internationalized Resource Identifiers November 2002
independent of the scheme used and always can be calculated quickly
and without accessing a network. In such cases, two IRIs SHOULD be
defined as equivalent if and only if they are character-by-character
equivalent. This is the same as being byte-by-byte equivalent if the
character encoding for both IRIs is the same. As an example,
http://example.org/~user, http://example.org/%7euser, and
http://example.org/%7Euser would not be equivalent. In such a case,
the comparison function MUST NOT map the IRIs to URIs.
It follows from the above that IRIs SHOULD NOT be modified when being
transported.
For actual resolution, differences in escaping (except for the
escaping of reserved characters) MUST always result in the same
resource. For example, http://example.org/~user,
http://example.org/%7euser and http://example.org/%7Euser must
resolve to the same resource. If this kind of equivalence is to be
tested, the escaping of both IRIs to be compared has to be aligned,
for example by converting both IRIs to URIs (see Section 3.1) and
making sure that the case of the hexadecimal characters in the %-
escape is always the same. Such conversions MUST only be done on the
fly, without changing the original IRI.
Specific schemes and resolution mechanisms may define additional
equivalences. For a specific scheme, two IRIs that e.g. differ only
by case may be equivalent. However, this document does not deal with
scheme-specific issues.
The Unicode Standard [UNIV3] defines various equivalences between
sequences of characters for various purposes. Unicode Standard Annex
#15 [UNI15] defines various Normalization Forms for these
equivalences. IRIs SHOULD be created using Normalization Form C
(NFC). Equivalence of IRIs MUST rely on the IRIs being appropriately
pre-normalized, rather than applying normalization, except when
converting from a non-UCS-based encoding to an UCS-based encoding,
where a normalizing transcoder using NFC MUST be used.
As an example, http://www.example.org/résumé.html (in XML
Notation) is in NFC. On the other hand, http://www.example.org/
résumé.html is not in NFC. The former uses precombined
e-acute characters, the later uses 'e' characters followed by
combining acute accents, both are defined as canonically equivalent
in [UNIV3].
Various IRI schemes may allow the usage of International Domain Names
(IDN) [RFCXXXX]. When in use in IRIs, those names SHOULD be
validated using the ToASCII operation defined in [RFCXXXX], with the
flags "UseSTD3ASCIIRules" and "AllowUnassigned". An IRI containing
Duerst & Suignard Expires May 5, 2003 [Page 11]
Internet-Draft Internationalized Resource Identifiers November 2002
an invalid IDN cannot successfully be resolved. For legibility
purposes, IDN components of IRIs SHOULD not be converted into ASCII
Compatible Encoding (ACE). However, this conversion may be applied
when mapping an IRI into an URI, see Section 3.1.
3. Relationship between IRIs and URIs
IRIs are meant to replace URIs in identifying resources for
protocols, formats and software components which use a UCS-based
character repertoire. These protocols and components may never need
to use URIs directly, especially when the resource identifier is used
simply for identification purposes. However, when the resource
identifier is used for resource retrieval, it is in many cases
necessary to determine the associated URI because most retrieval
mechanisms currently only are defined for URIs. (Additional
rationale is given in Section 3.1.)
3.1 Mapping of IRIs to URIs
This section defines how to map an IRI to a URI. Everything in this
section applies also to IRI references and URI references, as well as
components thereof (for example fragment identifiers).
This mapping has two purposes:
a) Syntactical: Many URI schemes and components define additional
syntactical restrictions not captured in Section 2.2. Such
restrictions can be applied to IRIs by noting that IRIs are
only valid if they map to syntactically valid URIs. This means
that such syntactical restrictions do not have to be defined
again on the IRI level.
b) Interpretational: URIs identify resources in various ways.
IRIs also identify resources. When the IRI is used simply for
identification purposes, it is not necessary to map the IRI to
an URI (see Section 2.3). However, when an IRI is used for
resource retrieval, the resource that the IRI locates is the
same as the one located by the URI obtained after converting
the IRI according to the procedure defined here. This means
that there is no need to define resolution separately on the
IRI level.
This mapping is accomplished in two steps.
Step 1) This step generates a UCS-based encoding from the original
IRI format. This step has three variants, depending on the
form of the input.
Duerst & Suignard Expires May 5, 2003 [Page 12]
Internet-Draft Internationalized Resource Identifiers November 2002
Variant A) If the IRI is written on paper or read out loud,
or otherwise represented as a sequence of characters
independent of any encoding: Represent the IRI as a
sequence of characters from the UCS normalized according
to Normalization Form C (NFC, [UNI15]).
Variant B) If the IRI is in some digital representation
(e.g. an octet stream) in some non-Unicode encoding:
Convert the IRI to a sequence of characters from the UCS
normalized according to NFC.
Variant C) If the IRI is in an Unicode-based encoding (for
example UTF-8 or UTF-16): Do not normalize. Move
directly to Step 2.
Step 2) For each character that is disallowed in URI references,
apply steps 1) through 3) below. The disallowed characters
consist of all non-ASCII characters, plus the excluded
characters listed in Section 2.4 of [RFC2396], except for the
number sign (#) and percent sign (%) and the square bracket
characters re-allowed in [RFC2732].
1) Convert the character to a sequence of one or more octets
using UTF-8 [RFC2279].
2) Convert each octet to %hh, where hh is the hexadecimal
notation of the octet value. Note: This is identical to
the escaping mechanism in Section 2.4.1 of [RFC2396].
Note: To reduce variability, the hexadecimal notation
SHOULD use lower case letters.
3) Replace the original character by the resulting character
sequence.
Note that in this process (in step 2.3), characters allowed in URI
references and existing escape sequences are not escaped further.
(This mapping is similar to, but different from, the escaping applied
when including arbitrary content into some part of a URI.) For
example, an IRI of
http://www.example.org/red%09rosé#<red> (in XML notation) is
converted to
http://www.example.org/red%09ros%c3%a9#%3cred%3e, not to something
like
http%3a%2f%2fwww.example.org%2fred%2509ros%c3%a9%23red.
Note that some older software transcoding to UTF-8 may produce
illegal output for some input, in particular for characters outside
the BMP (Basic Multilingual Plane). As an example, for the following
Duerst & Suignard Expires May 5, 2003 [Page 13]
Internet-Draft Internationalized Resource Identifiers November 2002
IRI with non-BMP characters (in XML Notation):
http://example.com/
(the first three letters of the Old Italic alphabet) the correct
conversion to a URI is:
http://example.com/%F0%90%8C%80%F0%90%8C%81%F0%90%8C%82
The above mapping produces a URI fully conforming to [RFC2396] (as
amended by [RFC2732] and [IDNURI]) out of each IRI. The mapping is
also an identity transformation for URIs and is idempotent --
applying the mapping a second time will not change anything. Every
URI is therefore by definition an IRI.
Note: For backwards compatibility with infrastructure that does not
implement the updates of [IDNURI], converters MAY also convert the
'ihostname' part of an IRI using the ToASCII operation specified in
Section 4.1 of [RFCXXXX] between Step 1 and Step 2. Note that the
ToASCII operation may fail. Note that Internationalized Domain Names
may be contained in parts of an IRI other than the 'ihostname' part.
3.2 Converting URIs to IRIs
In some situations, it may be desirable to try to convert a URI into
an equivalent IRI. This section gives a procedure to do such a
conversion. The conversion described in this section will always
result in an IRI which maps back to the URI that was used as an input
for the conversion (except for potential case differences in escape
sequences). However, the IRI resulting from this conversion may not
be exactly the same as the original IRI (if there ever was one).
URI to IRI conversion removes escape sequences, but not all escaping
can be eliminated. There are several reasons for this:
a) Some escape sequences are necessary to distinguish escaped and
unescaped uses of reserved characters.
b) Some escape sequences cannot be interpreted as sequences of
UTF-8 octets.
(Note: Due to the regularities in the octet patterns of UTF-8,
there is a very high probability, but no guarantee, that escape
sequences that can be interpreted as sequences of UTF-8 octets
actually originated from UTF-8. For a detailed discussion, see
[Duer97].)
c) The conversion may result in a character that is not
appropriate in an IRI. See Section 5.1 for further details.
Conversion from a URI to an IRI is done using the following steps (or
Duerst & Suignard Expires May 5, 2003 [Page 14]
Internet-Draft Internationalized Resource Identifiers November 2002
any other algorithm that produces the same result):
1) Represent the URI as a sequence of octets in US-ASCII.
2) Convert all hexadecimal escapes (% followed by two hexadecimal
digits) except those corresponding to '#' and '%' and
characters in 'reserved', to the corresponding octets.
3) Re-escape any octets that are not part of a strictly legal UTF-
8 octet sequence.
4) Re-escape all octets that in UTF-8 represent characters that
are not appropriate according to Section 5.1.
5) Interpret the resulting octet sequence as a sequence of
characters encoded in UTF-8.
This procedure will convert as many escaped non-ASCII characters as
possible to characters in an IRI. Because there are some choices
when applying step 4) (see Section 5.1), results may differ.
4. Bidirectional IRIs for Right-to-left Languages
Some UCS characters, such as those used in the Arabic and Hebrew
script, have an inherent right-to-left writing direction. IRIs
containing such characters (called bidirectional IRIs or Bidi IRIs)
require additional attention because of the non-trivial relation
between logical representation (used for digital representation as
well as when reading/spelling) and visual representation (used for
display/printing).
Because of the complex interaction between the logical
representation, the visual representation, and the syntax of a Bidi
IRI, a balance is needed between various requirements. The main
requirements are (1) user-predictable conversion between visual and
logical representation; (2) the ability to include a wide range of
characters in various parts of the IRI; (3) no or not too big changes
or restrictions for implementations.
4.1 Logical Storage and Visual Presentation
In their internal digital representation, i.e. stored or transmitted
for resolution, bidirectional IRIs MUST be in full logical order, and
MUST conform directly to the IRI syntax rules (which includes the
rules relevant to their scheme). This assures that bidirectional
IRIs can be processed in the same way as other IRIs.
When rendered, bidirectional IRIs MUST be rendered using the Unicode
Duerst & Suignard Expires May 5, 2003 [Page 15]
Internet-Draft Internationalized Resource Identifiers November 2002
Bidirectional Algorithm [UNIV3], [UNI9]. Bidirectional IRIs MUST be
rendered with an overall left-to-right direction.
In text with a left-to-right base directionality or embedding (e.g
English, Cyrillic), the Unicode Bidirectional Algorithm will
automatically use an overall left-to-right direction for the IRI. In
text with a right-to-left base directionality or embedding (e.g.
Arabic or Hebrew), some kind of embedding is needed. This may be
Unicode bidi formatting codes (LRE before the IRI, and PDF after the
IRI, both not part of the IRI itself) or equivalent features of a
higher-order protocol (e.g. the dir='ltr' attribute in HTML).
IRIs MUST NOT contain bidirectional formatting characters (LRM, RLM,
LRE, RLE, LRO, RLO, and PDF). They affect the visual rendering of
the IRI, but do not itself appear visually. It would therefore not
be possible to again correctly input an IRI with such characters.
4.2 Bidi IRI Structure
The Unicode Bidirectional Algorithm is designed mainly for running
text. To make sure that it does not affect the rendering of
bidirectional IRIs too much, some restrictions on bidirectional IRIs
are necessary. These restrictions are given in terms of delimiters
(structural characters, mostly punctuation such as
'@', '.', ':', '/') and components (usually consisting mostly of
letters and digits).
The following syntax rules from Section 2.2 correspond to components
for the purpose of Bidi behavior: iopaquepart, irelsegment, iregname,
iuserinfo, isegment, iparam, ihostname, iquery, and ifragment.
Specifications that define the syntax of any of the above components
MAY divide them further and define smaller parts to be components
according to this document. As an example, the restrictions of
[RFCXXXX] on bidirectional domain names correspond to treating each
label of the domain name as a component. Even where the components
are not defined formally, it may be helpful to think about some
syntax in terms of components and to apply the relevant restrictions.
For example, for the usual name/value syntax in query parts, it is
convenient to treat each name and each value as a component. As
another example, the extensions in a resource name can be treated as
separate components.
For each component, the following restrictions apply:
1) A component SHOULD NOT not use both right-to-left and left-to-
right characters.
Duerst & Suignard Expires May 5, 2003 [Page 16]
Internet-Draft Internationalized Resource Identifiers November 2002
2) A component using right-to-left characters SHOULD start and end
with right-to-left characters.
The above restrictions are given as shoulds, rather than as musts.
For IRIs that are never presented visually, they are not relevant.
However, for IRIs in general, they are very important to insure
consistent conversion between visual presentation and logical
representation, in both directions.
In some components, the above restrictions may actually be strictly
enforced. For example, [RFCXXXX] requires that these restrictions
apply to the labels of the host name part of an IRI. In some other
components, for example path components, following these restrictions
may not be too difficult. For other components, such as parts of the
query part, it may be very difficult to enforce the restrictions,
because the values of query parameters may be arbitrary character
sequences.
In order to satisfy the above restrictions, the affected component
can be mapped to URI notation as described in Section 3.1. Please
note that the whole component needs to be mapped (see also Example 9
below).
4.3 Input of Bidi IRIs
Bidi input methods MUST generate Bidi IRIs in logical order while
rendering them according to Section 4.1. During input, rendering
should be updated after every new character that is input to avoid
end user confusion.
4.4 Examples
This section gives examples of bidirectional IRIs, in Bidi Notation.
It shows legal IRIs with the relationship between logical and visual
representation, and explains how certain phenomena in this
relationship may look strange to somebody not familiar with
bidirectional behavior, but familiar to users of Arabic and Hebrew.
It also shows what happens if the restrictions given in Section 4.2
are not followed. The examples below can be seen at [BidiEx], in
Arabic, Hebrew, and Bidi Notation variants.
Example 1: A single component with right-to-left (rtl) characters is
inverted:
logical representation: http://ab.CDEFGH.ij/kl/mn/op.html,
visual representation: http://ab.HGFEDC.ij/kl/mn/op.html.
Components can be read one-by-one, and each component can be read in
its natural direction.
Duerst & Suignard Expires May 5, 2003 [Page 17]
Internet-Draft Internationalized Resource Identifiers November 2002
Example 2: More than one consecutive component with rtl characters is
inverted as a whole:
logical representation: http://ab.CDE.FGH/ij/kl/mn/op.html,
visual representation: http://ab.HGF.EDC/ij/kl/mn/op.html.
A sequence of rtl components is read rtl, in the same way as a
sequence of rtl words is read rtl in a bidi text.
Example 3: All components of an IRI (except for the scheme) are rtl.
All rtl components are inverted overall:
logical representation: http://AB.CD.EF/GH/IJ/KL?MN=OP;QR=ST#UV,
visual representation: http://VU#TS=RQ;PO=NM?LK/JI/HG/FE.DC.BA.
The whole IRI (except the scheme) is read rtl. Delimiters between
rtl components stay between the respective components; delimiters
between ltr and rtl components don't move.
Example 4: Several sequences of rtl components are each inverted on
their own:
logical representation: http://AB.CD.ef/gh/IJ/KL.html,
visual representation: http://DC.BA.ef/gh/LK/JI.html.
Each sequence of rtl components is read rtl, in the same way as each
sequence of rtl words in an ltr text is read rtl.
Example 5: Example 2, applied to components of different kinds:
logical representation: http://ab.cd.EF/GH/ij/kl.html,
visual representation: http://ab.cd.HG/FE/ij/kl.html.
The inversion of the domain name label and the path component may be
unexpected, but is consistent with other bidi behavior.
Example 6: Same as example 5, with more rtl components:
logical representation: http://ab.CD.EF/GH/IJ/kl.html,
visual representation: http://ab.JI/HG/FE.DC/kl.html.
The inversion of the domain name labels and the path components may
be easier to identify because the delimiters also move.
Example 7: A single rtl component with included digits:
logical representation: http://ab.CDE123FGH.ij/kl/mn/op.html,
visual representation: http://ab.HGF123EDC.ij/kl/mn/op.html.
Numbers are written ltr in all cases, but are treated as an
additional embedding inside a run of rtl characters. This is
completely consistent with usual bidirectional text.
Example 8 (not allowed): Numbers at the start or end of a rtl
component:
logical representation: http://ab.cd.ef/GH1/2IJ/KL.html,
visual representation: http://ab.cd.ef/LK/JI1/2HG.html.
The sequence '1/2' is interpreted by the bidi algorithm as a
fraction, fragmenting the components and leading to confusion. There
are other characters that are interpreted in a special way close to
Duerst & Suignard Expires May 5, 2003 [Page 18]
Internet-Draft Internationalized Resource Identifiers November 2002
numbers, in particular '+', '-', '#', '$', '%', ',', '.', and ':'.
Example 9 (not allowed): The numbers in the previous example are
escaped:
logical representation: http://ab.cd.ef/GH%31/%32IJ/KL.html,
visual representation (Hebrew): http://ab.cd.ef/LK/JI%32/%31HG.html,
visual representation (Arabic): http://ab.cd.ef/LK/JI32%/31%HG.html.
Depending on whether the upper-case letters represent Arabic or
Hebrew, the visual representation is different.
5. Use of IRIs
5.1 Limitations on UCS Characters Allowed in IRIs
This section discusses the limitations on characters and character
sequences usable for IRIs. The considerations in this section are
relevant when creating IRIs and when converting from URIs to IRIs.
a) The repertoire of characters allowed in each IRI component is
limited by the definition of that component. For example, the
definition of the scheme component does not allow characters
beyond US-ASCII.
(Note: In accordance with URI practice, generic IRI software
cannot and should not check for such limitations.)
b) In the URI syntax, characters that are likely to be used to
delimit URIs in text and print ("space", "delims", and
"unwise") were excluded. They are included in the IRI syntax
(with the exception of '%', which cannot be used directly, and
'#', which is used in IRI references), for the following
reasons:
1) The syntax includes many other characters that are not
appropriate in many cases.
2) Some implementation practice already allows them in URI
references (for example spaces in fragment identifiers).
3) It is very convenient in some cases, for example for
XPointers in XML attributes.
4) Considering context is already necessary in the case of
URIs, for example for "&" in XML.
However, these characters should be avoided where possible.
Whenever there is a chance that an IRI will be used in a
component where these characters can be harmful, they should be
Duerst & Suignard Expires May 5, 2003 [Page 19]
Internet-Draft Internationalized Resource Identifiers November 2002
escaped from the start.
c) The UCS contains many areas of characters for which there are
strong visual look-alikes. Because of the likelihood of
transcription errors, these also should be avoided. This
includes the full-width equivalents of ASCII characters, half-
width Katakana characters for Japanese, and many others. This
also includes many look-alikes of "space", "delims", and
"unwise", characters excluded in [RFC2396].
Additional information is available from [UNIXML]. [UNIXML] is
written in the context of running text rather than in the context of
identifiers. Nevertheless, it discusses many of the categories of
characters and code points not appropriate for IRIs.
5.2 Software Interfaces and Protocols
Although an IRI is defined as a sequence of characters, software
interfaces for URIs typically function on sequences of octets or
other kinds of code units. Thus, software interfaces and protocols
MUST define which character encoding is used.
Intermediate software interfaces between IRI-capable components and
URI-only components MUST map the IRIs as per Section 3.1, when
transferring from IRI-capable to URI-only components. Such a mapping
SHOULD be applied as late as possible. It should not be applied
between components that are known to be able to handle IRIs.
5.3 Format of URIs and IRIs in Documents and Protocols
Document formats that transport URIs may need to be upgraded to allow
the transport of IRIs. In those cases where the document as a whole
has a native character encoding, IRIs MUST also be encoded in this
encoding, and converted accordingly by a parser or interpreter. IRI
characters that are not expressible in the native encoding SHOULD be
escaped using the escaping conventions of the document format if such
conventions are available. Alternatively, they MAY be escaped
according to Section 3.1. For example, in HTML, XML, or SGML,
numeric character references should be used. If a document as a
whole has a native character encoding, and that character encoding is
not UTF-8, then IRIs MUST NOT be placed into the document in the UTF-
8 character encoding.
Note: Some formats already accommodate IRIs, although they use
different terminology. HTML 4.0 [HTML4] defines the conversion from
IRIs to URIs as error-avoiding behavior. XML 1.0 [XML1], XLink
[XLink], and XML Schema [XMLSchema] and specifications based upon
them allow IRIs. Also, it is expected that all relevant new W3C
Duerst & Suignard Expires May 5, 2003 [Page 20]
Internet-Draft Internationalized Resource Identifiers November 2002
formats and protocols will be required to handle IRIs [CharMod].
5.4 Relative IRI References
Processing of relative forms of IRIs against a base is handled
straightforwardly; the algorithms of RFC 2396 may be applied
directly, treating the characters additionally allowed in IRIs in the
same way as unreserved characters in URIs.
6. URI/IRI Processing Guidelines (informative)
This informative section provides guidelines for supporting IRIs in
the same software components and operations that currently process
URIs: software interfaces that handle URIs, software that allows
users to enter URIs, software that generates URIs, software that
displays URIs, formats and protocols that transport URIs, and
software that interprets URIs. These may all require more or less
modification before functioning properly with IRIs. The
considerations in this section also apply to URI references and IRI
references.
6.1 URI/IRI Software Interfaces
Software interfaces that handle URIs, such as URI-handling APIs and
protocols transferring URIs, need interfaces and protocol elements
that are designed to carry IRIs.
In case the current handling in an API or protocol is based on US-
ASCII, UTF-8 is recommended as the encoding for IRIs, because this is
compatible with US-ASCII, is in accordance with the recommendations
of [RFC2277], and makes it easy to convert to URIs where necessary.
In any case, the encoding used must not be left undefined.
The transfer from URI-only to IRI-capable components requires no
mapping, although the conversion described in Section 3.2 above may
be performed. It is preferable not to perform this inverse
conversion when there is a chance that this cannot be done correctly.
6.2 URI/IRI Entry
There are components that allow users to enter URIs into the system,
for example, by typing or dictation. This software must be updated
to allow for IRI entry.
A person viewing a visual representation of an IRI (as a sequence of
glyphs, in some order, in some visual display) or hearing an IRI,
will use a entry method for characters in the user's language to
input the IRI. Depending on the script and the input method used,
Duerst & Suignard Expires May 5, 2003 [Page 21]
Internet-Draft Internationalized Resource Identifiers November 2002
this may be a more or less complicated process.
The process of IRI entry must assure, as far as possible, that the
restrictions defined in Section 2.2 are met. This may be done by
choosing appropriate input methods or variants/settings thereof, by
appropriately converting the characters being input, by eliminating
characters that cannot be converted, and/or by issuing a warning or
error message to the user.
As an example of variant settings, input method editors for East
Asian Languages usually allow to input Latin letters and related
characters in full-width or half-width versions. For IRI input, the
input method editor should be set to half-width input, in order to
produce US-ASCII characters where possible.
An input field primarily or only used for the input of URIs/IRIs
should allow the user to view an IRI as mapped to a URI. Places
where the input of IRIs is frequent should provide the possibility
for viewing an IRI as mapped to a URI. This will help users when
some of the software they use does not yet accept IRIs.
An IRI input component that interfaces to components that handle
URIs, but not IRIs, must map the the IRI to an URI before passing it
to such a component.
For the input of IRIs with right-to-left characters, please see
Section 4.3.
6.3 URI/IRI Transfer Between Applications
Many applications, in particular many mail user agents, try to detect
URIs appearing in plain text. For this, they use some heuristics
based on URI syntax. They then allow the user to click on such URIs
and retrieve the corresponding resource in an appropriate (usually
scheme-dependent) application.
Such applications have to be upgraded to use the IRI syntax rather
than the URI syntax as a base for heuristics. In particular, a non-
ASCII character should not be taken as the indication of the end of
an IRI. Such applications also have to make sure that they correctly
convert the detected IRI from the encoding of the document or
application where the IRI appears to the encoding used by the system-
wide IRI invocation mechanism, or to an URI (according to Section
3.1) if the system-wide invocation mechanism only accepts URIs.
The clipboard is another frequently used way to transfer URIs and
IRIs from one application to another. On most platforms, the
clipboard is able to store and transfer text in many languages and
Duerst & Suignard Expires May 5, 2003 [Page 22]
Internet-Draft Internationalized Resource Identifiers November 2002
scripts. Correctly used, the clipboard transfers characters, not
bytes, which will do the right thing with IRIs.
6.4 URI/IRI Generation
Systems that are offering resources through the Internet, where those
resources have logical names, sometimes automatically generate URIs
for the resources they offer. For example, some HTTP servers can
generate a directory listing for a file directory, and then respond
to the generated URIs with the files.
Many legacy character encodings are in use in various file systems.
Many currently deployed systems do not transform the local character
representation of the underlying system before generating URIs.
For maximum interoperability, systems that generate resource
identifiers should do the appropriate transformations. They should
use IRIs converted to URIs in cases where it cannot be expected that
the recipient is able to handle IRIs. Due to the way most user
agents currently work, native IRIs, encoded in UTF-8, may be used if
the recipient announces that it can interpret UTF-8. This requires
that the whole page is sent as UTF-8. If this is not possible,
escaping can always be used.
This recommendation in particular applies to HTTP servers. For FTP
servers, similar considerations apply, see in particular [RFC2640].
6.5 URI/IRI Selection
In some cases, resource owners and publishers have control over the
IRIs used to identify their resources. Such control is mostly
executed by controlling the resource names, such as file names,
directly.
In such cases, it is recommended to avoid choosing IRIs that are
easily confused. For example, for US-ASCII, the lower-case ell "l"
is easily confused with the digit one "1", and the upper-case oh "O"
is easily confused with the digit zero "0". Publishers should avoid
confusing users with "br0ken" or "1ame" identifiers.
Outside of the US-ASCII range, there are many more opportunities for
confusion; a complete set of guidelines is too lengthy to include
here. As long as names are limited to characters from a single
script, native writers of a given script or language will know best
when ambiguities can appear, and how they can be avoided. What may
look ambiguous to a stranger may be completely obvious to the average
native user. On the other hand, in some cases, the UCS contains
variants for compatibility reasons, for example for typographic
Duerst & Suignard Expires May 5, 2003 [Page 23]
Internet-Draft Internationalized Resource Identifiers November 2002
purposes. These should be avoided wherever possible. Although there
may be exceptions, in general newly created resource names should be
in NFKC [UNI15] (which means that they are also in NFC).
As an example, the UCS contains codepoint U+FB01 for the 'fi'
ligature for compatibility reasons. Wherever possible, IRIs should
use the two letters 'f' and 'i' rather than the 'fi' ligature. An
example where the later may be used is in the query part of an IRI
for an explicit search for a word containing the 'fi' ligature
codepoint.
In certain cases, there is a chance that characters from different
scripts look the same. The best known example is the Latin 'A', the
Greek 'Alpha', and the Cyrillic 'A'. To avoid such cases, only IRIs
should be generated where all the characters in a single component
are used together in a given language. This usually means that all
these characters will be from the same script, but there are
languages that mix characters from different scripts (such as
Japanese). This is similar to the heuristics used to distinguish
between letters and numbers in the examples above. Also, for Latin,
Greek, and Cyrillic, using lower-case letters results in fewer
ambiguities than using upper-case letters.
6.6 Display of URIs/IRIs
In situations where the rendering software is not expected to display
non-ASCII parts of the IRI correctly using the available layout and
font resources, these parts should be escaped before being displayed.
For display of Bidi IRIs, please see Section 4.1.
6.7 Interpretation of URIs and IRIs
Software that interprets IRIs as the names of local resources should
accept IRIs in multiple forms, and convert and match them with the
appropriate local resource names.
First, multiple representations include both IRIs in the native
character encoding of the protocol and also their URI counterparts.
Second, it may include URIs constructed based on other character
encodings than UTF-8. Such URIs may be produced by user agents that
do not conform to this specification and use legacy encodings to
convert non-ASCII characters to URIs. Whether this is necessary, and
what character encodings to cover, depends on a number of factors,
such as the legacy character encodings used locally and the
distribution of various versions of user agents. For example,
software for Japanese may accept URIs in Shift_JIS and/or EUC-JP in
Duerst & Suignard Expires May 5, 2003 [Page 24]
Internet-Draft Internationalized Resource Identifiers November 2002
addition to UTF-8.
Third, it may include additional mappings to be more user-friendly
and robust against transmission errors. These would be similar to
how currently some servers treat URIs as case-insensitive, or perform
additional matching to account for spelling errors. For characters
beyond the ASCII repertoire, this may for example include ignoring
the accents on received IRIs or resource names where appropriate.
Please note that such mappings, including case mappings, are
language-dependent.
It can be difficult to unambiguously identify a resource if too many
mappings are taken into consideration. However, escaped and non-
escaped parts of IRIs can always clearly be distinguished. Also, the
regularity of UTF-8 (see [Duer97]) makes the potential for collisions
lower than it may seem at first sight.
6.8 Upgrading Strategy
Where this recommendation places further constraints on software for
which many instances are already deployed, it is important to
introduce upgrades carefully, and to be aware of the various
interdependencies.
If IRIs cannot be interpreted correctly, they should not be generated
or transported. This suggests that upgrading URI interpreting
software to accept IRIs should have highest priority.
On the other hand, a single IRI is interpreted only by a single or
very few interpreters that are known in advance, while it may be
entered and transported very widely.
Therefore, IRIs benefit most from a broad upgrade of software to be
able to enter and transport IRIs, but before publishing any
individual IRI, care should be taken to upgrade the corresponding
interpreting software in order to cover the forms expected to be
received by various versions of entry and transport software.
The upgrade of generating software to generate IRIs instead of a
local encoding should happen only after the service is upgraded to
accept IRIs. Similarly, IRIs should only be generated when the
service accepts IRIs and the intervening infrastructure and protocol
is known to transport them safely.
Display software should be upgraded only after upgraded entry
software has been widely deployed to the population that will see the
displayed result.
Duerst & Suignard Expires May 5, 2003 [Page 25]
Internet-Draft Internationalized Resource Identifiers November 2002
These recommendations, when taken together, will allow for the
extension from URIs to IRIs in order to handle scripts other than
ASCII while minimizing interoperability problems.
7. Security Considerations
Incorrect escaping or unescaping can lead to security problems. In
particular, some UTF-8 decoders do not check against overlong byte
sequences. As an example, a '/' is encoded with the byte 0x2F both
in UTF-8 and in ASCII, but some UTF-8 decoders also wrongly interpret
the sequence 0xC0 0xAF as a '/'. A sequence such as '%C0%AF..' may
pass some security tests and then be interpreted as '/..' in a path
if UTF-8 decoders are fault-tolerant, if conversion and checking are
not done in the right order, and/or if reserved characters and
unreserved characters are not clearly distinguished.
There are various ways in which "spoofing" can occur with IRIs.
"Spoofing" means that somebody may add a resource name that looks the
same or similar to the user, but points to a different resource. The
added resource may pretend to be the real resource by looking very
similar, but may contain all kinds of changes that may be difficult
to spot but can cause all kinds of problems. Most spoofing
possibilities for IRIs are extensions of those for URIs.
Spoofing can occur for various reasons. A first reason is that
normalization expectations of a user or actual normalization when
entering an IRI do not match the normalization used on the server
side. Conceptually, this is no different from the problems
surrounding the use of case-insensitive web servers. For example, a
popular web page with a mixed case name (http://big.site/
PopularPage.html) might be "spoofed" by someone who is able to create
http://big.site/popularpage.html. However, the introduction of
character normalization, and of additional mappings for user
convenience, may increase the chance for spoofing.
Spoofing can occur because in the UCS, there are many characters that
look very similar. Details are discussed in Section 6.5. Again,
this is very similar to spoofing possibilities on US-ASCII, e.g.
using 'br0ken' or '1ame' URIs.
Spoofing can occur when URIs in various encodings are accepted to
deal with older user agents. In some cases, in particular for Latin-
based resource names, this is usually easy to detect because UTF-8-
encoded names, when interpreted and viewed as legacy encodings,
produce mostly garbage. In other cases, when concurrently used
encodings have a similar structure, but there are no characters that
have exactly the same encoding, detection is more difficult.
Duerst & Suignard Expires May 5, 2003 [Page 26]
Internet-Draft Internationalized Resource Identifiers November 2002
Spoofing can occur in various IRI components, such as the domain name
part or a path part. For considerations specific to the domain name
part, see [Nameprep]. For the path part, administrators of sites
which allow independent users to create resources in the same subarea
may need to be careful to check for spoofing.
Spoofing can occur with bidirectional IRIs, if the restrictions in
Section 4.2 are not followed. The same visual representation may be
interpreted as different logical representations, and vice versa. It
is also very important that a correct Unicode bidirectional
implementation is used.
8. Change log
8.1 Changes from -01 to -02
- New approach for Bidi section, many examples.
- Created idelims, removed '%' and '#'. Changed userinfo to
iuserinfo in iserver.
- Changed to ABNF defined by [RFC2234].
- Included bug fixes from [RFC2396bis].
- Additions to Acknowledgements.
8.2 Changes from -00 to -01
- Re-integrated the section on Bidi, some issues left.
- Integrated IDN, changed syntax (host, userinfo,....).
- Moved some text around, marked some as informational.
- Made a clear distinction of IRI use for identification only and
for resource resolution.
- Fixed various details in wording, spelling,...
9. Acknowledgements
We would like to thank Larry Masinter for his work as coauthor of
many earlier versions of this document (draft-masinter-url-i18n-xx).
The discussion on the issue addressed here has started a long time
Duerst & Suignard Expires May 5, 2003 [Page 27]
Internet-Draft Internationalized Resource Identifiers November 2002
ago. There was a thread in the HTML working group in August 1995
(under the topic of "Globalizing URIs") and in the www-international
mailing list in July 1996 (under the topic of "Internationalization
and URLs"), and ad-hoc meetings at the Unicode conferences in
September 1995 and September 1997.
Thanks to Francois Yergeau, Matti Allouche, Roy Fielding, Tim
Berners-Lee, Mark Davis, M.T. Carrasco Benitez, James Clark, Tim
Bray, Chris Wendt, Yaron Goland, Andrea Vine, Misha Wolf, Leslie
Daigle, Ted Hardie, Makoto MURATA, Steven Atkin, Ryan Stansifer, Tex
Texin, Graham Klyne, Bjoern Hoehrmann, Chris Lilly, Dan Oscarson,
Elliotte Rusty Harold, Mike J. Brown, Carlos Viegas Damasio, and
many others for help with understanding the issues and possible
solutions, and getting the details right. Thanks also to the members
of the W3C I18N Working Group and Interest Group for their
contributions and their work on [CharMod], to the members of many
other W3C WGs for adopting the ideas, and to the members of the
Montreal IAB Workshop on Internationalization and Localization for
their review.
Normative References
[ISO10646] International Organization for Standardization,
"Information Technology - Universal Multiple-Octet Coded
Character Set (UCS) - Part 1: Architecture and Basic
Multilingual Plane - Part 2: Supplementary Planes", ISO
Standard 10646, with amendment, July 2002.
[RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 2279, January 1998.
[RFC2396] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 2396,
August 1998.
[RFC2732] Hinden, R., Carpenter, B. and L. Masinter, "Format for
Literal IPv6 Addresses in URL's", RFC 2732, December
1999.
[RFCXXXX] Faltstrom, P., Hoffman, P. and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
draft-ietf-idn-idna-14.txt (work in progress), October
2002, <http://www.ietf.org/internet-drafts/draft-ietf-
idn-idna-14.txt>.
Duerst & Suignard Expires May 5, 2003 [Page 28]
Internet-Draft Internationalized Resource Identifiers November 2002
[UNI15] Davis, M. and M. Duerst, "Unicode Normalization Forms",
Unicode Standard Annex #15, March 2001, <http://
www.unicode.org/unicode/reports/tr15/tr15-21.html>.
Non-normative References
[BidiEx] "Examples of bidirectional IRIs", <http://www.w3.org/
International/iri-edit/BidiExamples>.
[CharMod] Duerst, M., Yergeau, F., Ishida, R., Wolf, M.,
Freytag, A. and T. Texin, "Character Model for the
World Wide Web", World Wide Web Consortium Working
Draft, April 2002, <http://www.w3.org/TR/charmod>.
[Duer97] Duerst, M., "The Properties and Promises of UTF-8",
Proc. 11th International Unicode Conference, San Jose
, September 1997, <http://www.ifi.unizh.ch/mml/
mduerst/papers/PDF/IUC11-UTF-8.pdf>.
[Duer01] Duerst, M., "Internationalized Resource Identifiers:
From Specification to Testing", Proc. 19th
International Unicode Conference, San Jose ,
September 2001, <http://www.w3.org/2001/Talks/0912-
IUC-IRI/paper.html>.
[HTML4] Raggett, D., Le Hors, A. and I. Jacobs, "HTML 4.01
Specification", World Wide Web Consortium
Recommendation, December 1999, <http://www.w3.org/TR/
REC-html40/appendix/notes.html#h-B.2>.
[IDNURI] Duerst, M., "Internationalized Domain Names in URIs",
draft-ietf-idn-uri-03.txt (work in progress), July
2002, <http://www.ietf.org/internet-drafts/draft-
ietf-idn-uri-03.txt>.
[Nameprep] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
Profile for Internationalized Domain Names", draft-
ietf-idn-nameprep-11.txt (work in progress), June
2002, <http://www.ietf.org/internet-drafts/draft-
ietf-idn-nameprep-11.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2130] Weider, C., Preston, C., Simonsen, K., Alvestrand,
H., Atkinson, R., Crispin, M. and P. Svanberg, "The
Report of the IAB Character Set Workshop held 29
February - 1 March, 1996", RFC 2130, April 1997.
Duerst & Suignard Expires May 5, 2003 [Page 29]
Internet-Draft Internationalized Resource Identifiers November 2002
[RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997.
[RFC2192] Newman, C., "IMAP URL Scheme", RFC 2192, September
1997.
[RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
Languages", BCP 18, RFC 2277, January 1998.
[RFC2384] Gellens, R., "POP URL Scheme", RFC 2384, August 1998.
[RFC2396bis] Berners-Lee, T., Fielding, R. and L. Masinter,
"Uniform Resource Identifier (URI): Generic Syntax",
Internet-Draft (work in progress), October 2002.
[RFC2397] Masinter, L., "The "data" URL scheme", RFC 2397,
August 1998.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Nielsen, H.,
Masinter, L., Leach, P. and T. Berners-Lee,
"Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616,
June 1999.
[RFC2640] Curtin, B., "Internationalization of the File
Transfer Protocol", RFC 2640, July 1999.
[RFC2718] Masinter, L., Alvestrand, H., Zigmond, D. and R.
Petke, "Guidelines for new URL Schemes", RFC 2718,
November 1999.
[UNIV3] The Unicode Consortium, "The Unicode Standard Version
3.0", Addison-Wesley, Reading, MA , 2000.
[UNI9] Davis, M., "The Bidirectional Algorithm", Unicode
Standard Annex #9, March 2002, <http://
www.unicode.org/unicode/reports/tr9>.
[UNIXML] Duerst, M. and A. Freytag, "Unicode in XML and other
Markup Languages", Unicode Technical Report #20,
World Wide Web Consortium Note, February 2002,
<http://www.w3.org/TR/unicode-xml/>.
[W3CIRI] Duerst, M., "Internationalization - URIs and other
identifiers", World Wide Web Consortium Note,
September 2002, <http://www.w3.org/International/O-
URL-and-ident.html>.
[XLink] DeRose, S., Maler, E. and D. Orchard, "XML Linking
Language (XLink) Version 1.0", World Wide Web
Duerst & Suignard Expires May 5, 2003 [Page 30]
Internet-Draft Internationalized Resource Identifiers November 2002
Consortium Recommendation, June 2001, <http://
www.w3.org/TR/xlink/#link-locators>.
[XML1] Bray, T., Paoli, J., Sperberg-McQueen, C. and E.
Maler, "Extensible Markup Language (XML) 1.0 (Second
Edition)", World Wide Web Consortium Recommendation,
including Erratum 26 at http://www.w3.org/XML/xml-
V10-2e-errata#E26, October 2000, <http://www.w3.org/
TR/REC-xml#sec-external-ent>.
[XMLNamespace] Bray, T., Hollander, D. and A. Layman, "Namespaces in
XML", World Wide Web Consortium Recommendation,
January 1999, <http://www.w3.org/TR/REC-xml#sec-
external-ent>.
[XMLSchema] Biron, P. and A. Malhotra, "XML Schema Part 2:
Datatypes", World Wide Web Consortium Recommendation,
May 2001, <http://www.w3.org/TR/xmlschema-2/#anyURI>.
Authors' Addresses
Martin Duerst (Note: Please write "Duerst" with u-umlaut
wherever possible, for example as
"Dürst" in XML and HTML.)
World Wide Web Consortium
200 Technology Square
Cambridge, MA 02139
U.S.A.
Phone: +1 617 253 5509
Fax: +1 617 258 5999
EMail: duerst@w3.org
URI: http://www.w3.org/People/D%C3%BCrst/
(Note: This is the escaped form of an IRI.)
Michel Suignard
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
U.S.A.
Phone: +1 425 882-8080
EMail: mailto:michelsu@microsoft.com
URI: http://www.suignard.com
Duerst & Suignard Expires May 5, 2003 [Page 31]
Internet-Draft Internationalized Resource Identifiers November 2002
Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Duerst & Suignard Expires May 5, 2003 [Page 32]