7564
PROPOSED STANDARD
PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols (Obsoleted)
Authors: P. Saint-Andre, M. Blanchet
Date: May 2015
Area: app
Working Group: precis
Stream: IETF
Abstract
Application protocols using Unicode characters in protocol strings need to properly handle such strings in order to enforce internationalization rules for strings placed in various protocol slots (such as addresses and identifiers) and to perform valid comparison operations (e.g., for purposes of authentication or authorization). This document defines a framework enabling application protocols to perform the preparation, enforcement, and comparison of internationalized strings ("PRECIS") in a way that depends on the properties of Unicode characters and thus is agile with respect to versions of Unicode. As a result, this framework provides a more sustainable approach to the handling of internationalized strings than the previous framework, known as Stringprep (RFC 3454). This document obsoletes RFC 3454.
RFC 7564
Obsoleted by: 8264 PROPOSED STANDARD
Errata Exist
Internet Engineering Task Force (IETF) P. Saint-Andre
Request for Comments: 7564 &yet
Obsoletes: <a href="./rfc3454">3454</a> M. Blanchet
Category: Standards Track Viagenie
ISSN: 2070-1721 May 2015
<span class="h1">PRECIS Framework: Preparation, Enforcement, and Comparison of</span>
<span class="h1">Internationalized Strings in Application Protocols</span>
Abstract
Application protocols using Unicode characters in protocol strings
need to properly handle such strings in order to enforce
internationalization rules for strings placed in various protocol
slots (such as addresses and identifiers) and to perform valid
comparison operations (e.g., for purposes of authentication or
authorization). This document defines a framework enabling
application protocols to perform the preparation, enforcement, and
comparison of internationalized strings ("PRECIS") in a way that
depends on the properties of Unicode characters and thus is agile
with respect to versions of Unicode. As a result, this framework
provides a more sustainable approach to the handling of
internationalized strings than the previous framework, known as
Stringprep (<a href="./rfc3454">RFC 3454</a>). This document obsoletes <a href="./rfc3454">RFC 3454</a>.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="https://www.rfc-editor.org/info/rfc7564">http://www.rfc-editor.org/info/rfc7564</a>.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 1]</span><span id="page-2" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-4">4</a>
<a href="#section-2">2</a>. Terminology .....................................................<a href="#page-7">7</a>
<a href="#section-3">3</a>. Preparation, Enforcement, and Comparison ........................<a href="#page-7">7</a>
<a href="#section-4">4</a>. String Classes ..................................................<a href="#page-8">8</a>
<a href="#section-4.1">4.1</a>. Overview ...................................................<a href="#page-8">8</a>
<a href="#section-4.2">4.2</a>. IdentifierClass ............................................<a href="#page-9">9</a>
<a href="#section-4.2.1">4.2.1</a>. Valid ...............................................<a href="#page-9">9</a>
<a href="#section-4.2.2">4.2.2</a>. Contextual Rule Required ...........................<a href="#page-10">10</a>
<a href="#section-4.2.3">4.2.3</a>. Disallowed .........................................<a href="#page-10">10</a>
<a href="#section-4.2.4">4.2.4</a>. Unassigned .........................................<a href="#page-11">11</a>
<a href="#section-4.2.5">4.2.5</a>. Examples ...........................................<a href="#page-11">11</a>
<a href="#section-4.3">4.3</a>. FreeformClass .............................................<a href="#page-11">11</a>
<a href="#section-4.3.1">4.3.1</a>. Valid ..............................................<a href="#page-11">11</a>
<a href="#section-4.3.2">4.3.2</a>. Contextual Rule Required ...........................<a href="#page-12">12</a>
<a href="#section-4.3.3">4.3.3</a>. Disallowed .........................................<a href="#page-12">12</a>
<a href="#section-4.3.4">4.3.4</a>. Unassigned .........................................<a href="#page-12">12</a>
<a href="#section-4.3.5">4.3.5</a>. Examples ...........................................<a href="#page-12">12</a>
<a href="#section-5">5</a>. Profiles .......................................................<a href="#page-13">13</a>
<a href="#section-5.1">5.1</a>. Profiles Must Not Be Multiplied beyond Necessity ..........<a href="#page-13">13</a>
<a href="#section-5.2">5.2</a>. Rules .....................................................<a href="#page-14">14</a>
<a href="#section-5.2.1">5.2.1</a>. Width Mapping Rule .................................<a href="#page-14">14</a>
<a href="#section-5.2.2">5.2.2</a>. Additional Mapping Rule ............................<a href="#page-14">14</a>
<a href="#section-5.2.3">5.2.3</a>. Case Mapping Rule ..................................<a href="#page-14">14</a>
<a href="#section-5.2.4">5.2.4</a>. Normalization Rule .................................<a href="#page-15">15</a>
<a href="#section-5.2.5">5.2.5</a>. Directionality Rule ................................<a href="#page-15">15</a>
<a href="#section-5.3">5.3</a>. A Note about Spaces .......................................<a href="#page-16">16</a>
<a href="#section-6">6</a>. Applications ...................................................<a href="#page-17">17</a>
<a href="#section-6.1">6.1</a>. How to Use PRECIS in Applications .........................<a href="#page-17">17</a>
<a href="#section-6.2">6.2</a>. Further Excluded Characters ...............................<a href="#page-18">18</a>
<a href="#section-6.3">6.3</a>. Building Application-Layer Constructs .....................<a href="#page-18">18</a>
<a href="#section-7">7</a>. Order of Operations ............................................<a href="#page-19">19</a>
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 2]</span><span id="page-3" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<a href="#section-8">8</a>. Code Point Properties ..........................................<a href="#page-20">20</a>
<a href="#section-9">9</a>. Category Definitions Used to Calculate Derived Property ........<a href="#page-22">22</a>
<a href="#section-9.1">9.1</a>. LetterDigits (A) ..........................................<a href="#page-23">23</a>
<a href="#section-9.2">9.2</a>. Unstable (B) ..............................................<a href="#page-23">23</a>
<a href="#section-9.3">9.3</a>. IgnorableProperties (C) ...................................<a href="#page-23">23</a>
<a href="#section-9.4">9.4</a>. IgnorableBlocks (D) .......................................<a href="#page-23">23</a>
<a href="#section-9.5">9.5</a>. LDH (E) ...................................................<a href="#page-23">23</a>
<a href="#section-9.6">9.6</a>. Exceptions (F) ............................................<a href="#page-23">23</a>
<a href="#section-9.7">9.7</a>. BackwardCompatible (G) ....................................<a href="#page-23">23</a>
<a href="#section-9.8">9.8</a>. JoinControl (H) ...........................................<a href="#page-24">24</a>
<a href="#section-9.9">9.9</a>. OldHangulJamo (I) .........................................<a href="#page-24">24</a>
<a href="#section-9.10">9.10</a>. Unassigned (J) ...........................................<a href="#page-24">24</a>
<a href="#section-9.11">9.11</a>. ASCII7 (K) ...............................................<a href="#page-24">24</a>
<a href="#section-9.12">9.12</a>. Controls (L) .............................................<a href="#page-24">24</a>
<a href="#section-9.13">9.13</a>. PrecisIgnorableProperties (M) ............................<a href="#page-24">24</a>
<a href="#section-9.14">9.14</a>. Spaces (N) ...............................................<a href="#page-25">25</a>
<a href="#section-9.15">9.15</a>. Symbols (O) ..............................................<a href="#page-25">25</a>
<a href="#section-9.16">9.16</a>. Punctuation (P) ..........................................<a href="#page-25">25</a>
<a href="#section-9.17">9.17</a>. HasCompat (Q) ............................................<a href="#page-25">25</a>
<a href="#section-9.18">9.18</a>. OtherLetterDigits (R) ....................................<a href="#page-25">25</a>
<a href="#section-10">10</a>. Guidelines for Designated Experts .............................<a href="#page-26">26</a>
<a href="#section-11">11</a>. IANA Considerations ...........................................<a href="#page-27">27</a>
<a href="#section-11.1">11.1</a>. PRECIS Derived Property Value Registry ...................<a href="#page-27">27</a>
<a href="#section-11.2">11.2</a>. PRECIS Base Classes Registry .............................<a href="#page-27">27</a>
<a href="#section-11.3">11.3</a>. PRECIS Profiles Registry .................................<a href="#page-28">28</a>
<a href="#section-12">12</a>. Security Considerations .......................................<a href="#page-29">29</a>
<a href="#section-12.1">12.1</a>. General Issues ...........................................<a href="#page-29">29</a>
<a href="#section-12.2">12.2</a>. Use of the IdentifierClass ...............................<a href="#page-30">30</a>
<a href="#section-12.3">12.3</a>. Use of the FreeformClass .................................<a href="#page-30">30</a>
<a href="#section-12.4">12.4</a>. Local Character Set Issues ...............................<a href="#page-31">31</a>
<a href="#section-12.5">12.5</a>. Visually Similar Characters ..............................<a href="#page-31">31</a>
<a href="#section-12.6">12.6</a>. Security of Passwords ....................................<a href="#page-33">33</a>
<a href="#section-13">13</a>. Interoperability Considerations ...............................<a href="#page-34">34</a>
<a href="#section-13.1">13.1</a>. Encoding .................................................<a href="#page-34">34</a>
<a href="#section-13.2">13.2</a>. Character Sets ...........................................<a href="#page-34">34</a>
<a href="#section-13.3">13.3</a>. Unicode Versions .........................................<a href="#page-34">34</a>
13.4. Potential Changes to Handling of Certain Unicode
Code Points ..............................................<a href="#page-34">34</a>
<a href="#section-14">14</a>. References ....................................................<a href="#page-35">35</a>
<a href="#section-14.1">14.1</a>. Normative References .....................................<a href="#page-35">35</a>
<a href="#section-14.2">14.2</a>. Informative References ...................................<a href="#page-36">36</a>
Acknowledgements ..................................................<a href="#page-40">40</a>
Authors' Addresses ................................................<a href="#page-40">40</a>
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 3]</span><span id="page-4" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Application protocols using Unicode characters [<a href="#ref-Unicode" title=""The Unicode Standard"">Unicode</a>] in protocol
strings need to properly handle such strings in order to enforce
internationalization rules for strings placed in various protocol
slots (such as addresses and identifiers) and to perform valid
comparison operations (e.g., for purposes of authentication or
authorization). This document defines a framework enabling
application protocols to perform the preparation, enforcement, and
comparison of internationalized strings ("PRECIS") in a way that
depends on the properties of Unicode characters and thus is agile
with respect to versions of Unicode.
As described in the PRECIS problem statement [<a href="./rfc6885" title=""Stringprep Revision and Problem Statement for the Preparation and Comparison of Internationalized Strings (PRECIS)"">RFC6885</a>], many IETF
protocols have used the Stringprep framework [<a href="./rfc3454" title=""Preparation of Internationalized Strings ("">RFC3454</a>] as the basis
for preparing, enforcing, and comparing protocol strings that contain
Unicode characters, especially characters outside the ASCII range
[<a href="./rfc20" title=""ASCII format for network interchange"">RFC20</a>]. The Stringprep framework was developed during work on the
original technology for internationalized domain names (IDNs), here
called "IDNA2003" [<a href="./rfc3490" title=""Internationalizing Domain Names in Applications (IDNA)"">RFC3490</a>], and Nameprep [<a href="./rfc3491" title=""Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)"">RFC3491</a>] was the
Stringprep profile for IDNs. At the time, Stringprep was designed as
a general framework so that other application protocols could define
their own Stringprep profiles. Indeed, a number of application
protocols defined such profiles.
After the publication of [<a href="./rfc3454" title=""Preparation of Internationalized Strings ("">RFC3454</a>] in 2002, several significant
issues arose with the use of Stringprep in the IDN case, as
documented in the IAB's recommendations regarding IDNs [<a href="./rfc4690" title=""Review and Recommendations for Internationalized Domain Names (IDNs)"">RFC4690</a>]
(most significantly, Stringprep was tied to Unicode version 3.2).
Therefore, the newer IDNA specifications, here called "IDNA2008"
([<a href="./rfc5890" title=""Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework"">RFC5890</a>], [<a href="./rfc5891" title=""Internationalized Domain Names in Applications (IDNA): Protocol"">RFC5891</a>], [<a href="./rfc5892" title=""The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)"">RFC5892</a>], [<a href="./rfc5893" title=""Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)"">RFC5893</a>], [<a href="./rfc5894" title=""Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale"">RFC5894</a>]), no longer
use Stringprep and Nameprep. This migration away from Stringprep for
IDNs prompted other "customers" of Stringprep to consider new
approaches to the preparation, enforcement, and comparison of
internationalized strings, as described in [<a href="./rfc6885" title=""Stringprep Revision and Problem Statement for the Preparation and Comparison of Internationalized Strings (PRECIS)"">RFC6885</a>].
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 4]</span><span id="page-5" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
This document defines a framework for a post-Stringprep approach to
the preparation, enforcement, and comparison of internationalized
strings in application protocols, based on several principles:
1. Define a small set of string classes that specify the Unicode
characters (i.e., specific "code points") appropriate for common
application protocol constructs.
2. Define each PRECIS string class in terms of Unicode code points
and their properties so that an algorithm can be used to
determine whether each code point or character category is
(a) valid, (b) allowed in certain contexts, (c) disallowed, or
(d) unassigned.
3. Use an "inclusion model" such that a string class consists only
of code points that are explicitly allowed, with the result that
any code point not explicitly allowed is forbidden.
4. Enable application protocols to define profiles of the PRECIS
string classes if necessary (addressing matters such as width
mapping, case mapping, Unicode normalization, and directionality)
but strongly discourage the multiplication of profiles beyond
necessity in order to avoid violations of the "Principle of Least
Astonishment".
It is expected that this framework will yield the following benefits:
o Application protocols will be agile with regard to Unicode
versions.
o Implementers will be able to share code point tables and software
code across application protocols, most likely by means of
software libraries.
o End users will be able to acquire more accurate expectations about
the characters that are acceptable in various contexts. Given
this more uniform set of string classes, it is also expected that
copy/paste operations between software implementing different
application protocols will be more predictable and coherent.
Whereas the string classes define the "baseline" code points for a
range of applications, profiling enables application protocols to
apply the string classes in ways that are appropriate for common
constructs such as usernames [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>], opaque strings such
as passwords [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>], and nicknames [<a href="#ref-PRECIS-Nickname">PRECIS-Nickname</a>].
Profiles are responsible for defining the handling of right-to-left
characters as well as various mapping operations of the kind also
discussed for IDNs in [<a href="./rfc5895" title=""Mapping Characters for Internationalized Domain Names in Applications (IDNA) 2008"">RFC5895</a>], such as case preservation or
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 5]</span><span id="page-6" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
lowercasing, Unicode normalization, mapping of certain characters to
other characters or to nothing, and mapping of fullwidth and
halfwidth characters.
When an application applies a profile of a PRECIS string class, it
transforms an input string (which might or might not be conforming)
into an output string that definitively conforms to the profile. In
particular, this document focuses on the resulting ability to achieve
the following objectives:
a. Enforcing all the rules of a profile for a single output string
(e.g., to determine if a string can be included in a protocol
slot, communicated to another entity within a protocol, stored in
a retrieval system, etc.).
b. Comparing two output strings to determine if they are equivalent,
typically through octet-for-octet matching to test for
"bit-string identity" (e.g., to make an access decision for
purposes of authentication or authorization as further described
in [<a href="./rfc6943" title=""Issues in Identifier Comparison for Security Purposes"">RFC6943</a>]).
The opportunity to define profiles naturally introduces the
possibility of a proliferation of profiles, thus potentially
mitigating the benefits of common code and violating user
expectations. See <a href="#section-5">Section 5</a> for a discussion of this important
topic.
In addition, it is extremely important for protocol designers and
application developers to understand that the transformation of an
input string to an output string is rarely reversible. As one
relatively simple example, case mapping would transform an input
string of "StPeter" to "stpeter", and information about the
capitalization of the first and third characters would be lost.
Similar considerations apply to other forms of mapping and
normalization.
Although this framework is similar to IDNA2008 and includes by
reference some of the character categories defined in [<a href="./rfc5892" title=""The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)"">RFC5892</a>], it
defines additional character categories to meet the needs of common
application protocols other than DNS.
The character categories and calculation rules defined under
Sections <a href="#section-8">8</a> and <a href="#section-9">9</a> are normative and apply to all Unicode code points.
The code point table that results from applying the character
categories and calculation rules to the latest version of Unicode can
be found in an IANA registry.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 6]</span><span id="page-7" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Terminology</span>
Many important terms used in this document are defined in [<a href="./rfc5890" title=""Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework"">RFC5890</a>],
[<a href="./rfc6365" title=""Terminology Used in Internationalization in the IETF"">RFC6365</a>], [<a href="./rfc6885" title=""Stringprep Revision and Problem Statement for the Preparation and Comparison of Internationalized Strings (PRECIS)"">RFC6885</a>], and [<a href="#ref-Unicode" title=""The Unicode Standard"">Unicode</a>]. The terms "left-to-right" (LTR)
and "right-to-left" (RTL) are defined in Unicode Standard Annex #9
[<a href="#ref-UAX9" title=""Unicode Bidirectional Algorithm"">UAX9</a>].
As of the date of writing, the version of Unicode published by the
Unicode Consortium is 7.0 [<a href="#ref-Unicode7.0">Unicode7.0</a>]; however, PRECIS is not tied
to a specific version of Unicode. The latest version of Unicode is
always available [<a href="#ref-Unicode" title=""The Unicode Standard"">Unicode</a>].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Preparation, Enforcement, and Comparison</span>
This document distinguishes between three different actions that an
entity can take with regard to a string:
o Enforcement entails applying all of the rules specified for a
particular string class or profile thereof to an individual
string, for the purpose of determining if the string can be used
in a given protocol slot.
o Comparison entails applying all of the rules specified for a
particular string class or profile thereof to two separate
strings, for the purpose of determining if the two strings are
equivalent.
o Preparation entails only ensuring that the characters in an
individual string are allowed by the underlying PRECIS string
class.
In most cases, authoritative entities such as servers are responsible
for enforcement, whereas subsidiary entities such as clients are
responsible only for preparation. The rationale for this distinction
is that clients might not have the facilities (in terms of device
memory and processing power) to enforce all the rules regarding
internationalized strings (such as width mapping and Unicode
normalization), although they can more easily limit the repertoire of
characters they offer to an end user. By contrast, it is assumed
that a server would have more capacity to enforce the rules, and in
any case acts as an authority regarding allowable strings in protocol
slots such as addresses and endpoint identifiers. In addition, a
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 7]</span><span id="page-8" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
client cannot necessarily be trusted to properly generate such
strings, especially for security-sensitive contexts such as
authentication and authorization.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. String Classes</span>
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Overview</span>
Starting in 2010, various "customers" of Stringprep began to discuss
the need to define a post-Stringprep approach to the preparation and
comparison of internationalized strings other than IDNs. This
community analyzed the existing Stringprep profiles and also weighed
the costs and benefits of defining a relatively small set of Unicode
characters that would minimize the potential for user confusion
caused by visually similar characters (and thus be relatively "safe")
vs. defining a much larger set of Unicode characters that would
maximize the potential for user creativity (and thus be relatively
"expressive"). As a result, the community concluded that most
existing uses could be addressed by two string classes:
IdentifierClass: a sequence of letters, numbers, and some symbols
that is used to identify or address a network entity such as a
user account, a venue (e.g., a chatroom), an information source
(e.g., a data feed), or a collection of data (e.g., a file); the
intent is that this class will minimize user confusion in a wide
variety of application protocols, with the result that safety has
been prioritized over expressiveness for this class.
FreeformClass: a sequence of letters, numbers, symbols, spaces, and
other characters that is used for free-form strings, including
passwords as well as display elements such as human-friendly
nicknames for devices or for participants in a chatroom; the
intent is that this class will allow nearly any Unicode character,
with the result that expressiveness has been prioritized over
safety for this class. Note well that protocol designers,
application developers, service providers, and end users might not
understand or be able to enter all of the characters that can be
included in the FreeformClass -- see <a href="#section-12.3">Section 12.3</a> for details.
Future specifications might define additional PRECIS string classes,
such as a class that falls somewhere between the IdentifierClass and
the FreeformClass. At this time, it is not clear how useful such a
class would be. In any case, because application developers are able
to define profiles of PRECIS string classes, a protocol needing a
construct between the IdentifierClass and the FreeformClass could
define a restricted profile of the FreeformClass if needed.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 8]</span><span id="page-9" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
The following subsections discuss the IdentifierClass and
FreeformClass in more detail, with reference to the dimensions
described in <a href="./rfc6885#section-5">Section 5 of [RFC6885]</a>. Each string class is defined by
the following behavioral rules:
Valid: Defines which code points are treated as valid for the
string.
Contextual Rule Required: Defines which code points are treated as
allowed only if the requirements of a contextual rule are met
(i.e., either CONTEXTJ or CONTEXTO).
Disallowed: Defines which code points need to be excluded from the
string.
Unassigned: Defines application behavior in the presence of code
points that are unknown (i.e., not yet designated) for the version
of Unicode used by the application.
This document defines the valid, contextual rule required,
disallowed, and unassigned rules for the IdentifierClass and
FreeformClass. As described under <a href="#section-5">Section 5</a>, profiles of these
string classes are responsible for defining the width mapping,
additional mappings, case mapping, normalization, and directionality
rules.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. IdentifierClass</span>
Most application technologies need strings that can be used to refer
to, include, or communicate protocol strings like usernames,
filenames, data feed identifiers, and chatroom names. We group such
strings into a class called "IdentifierClass" having the following
features.
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a>. Valid</span>
o Code points traditionally used as letters and numbers in writing
systems, i.e., the LetterDigits ("A") category first defined in
[<a href="./rfc5892" title=""The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)"">RFC5892</a>] and listed here under <a href="#section-9.1">Section 9.1</a>.
o Code points in the range U+0021 through U+007E, i.e., the
(printable) ASCII7 ("K") category defined under <a href="#section-9.11">Section 9.11</a>.
These code points are "grandfathered" into PRECIS and thus are
valid even if they would otherwise be disallowed according to the
property-based rules specified in the next section.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 9]</span><span id="page-10" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
Note: Although the PRECIS IdentifierClass reuses the LetterDigits
category from IDNA2008, the range of characters allowed in the
IdentifierClass is wider than the range of characters allowed in
IDNA2008. The main reason is that IDNA2008 applies the Unstable
category before the LetterDigits category, thus disallowing
uppercase characters, whereas the IdentifierClass does not apply
the Unstable category.
<span class="h4"><a class="selflink" id="section-4.2.2" href="#section-4.2.2">4.2.2</a>. Contextual Rule Required</span>
o A number of characters from the Exceptions ("F") category defined
under <a href="#section-9.6">Section 9.6</a> (see <a href="#section-9.6">Section 9.6</a> for a full list).
o Joining characters, i.e., the JoinControl ("H") category defined
under <a href="#section-9.8">Section 9.8</a>.
<span class="h4"><a class="selflink" id="section-4.2.3" href="#section-4.2.3">4.2.3</a>. Disallowed</span>
o Old Hangul Jamo characters, i.e., the OldHangulJamo ("I") category
defined under <a href="#section-9.9">Section 9.9</a>.
o Control characters, i.e., the Controls ("L") category defined
under <a href="#section-9.12">Section 9.12</a>.
o Ignorable characters, i.e., the PrecisIgnorableProperties ("M")
category defined under <a href="#section-9.13">Section 9.13</a>.
o Space characters, i.e., the Spaces ("N") category defined under
<a href="#section-9.14">Section 9.14</a>.
o Symbol characters, i.e., the Symbols ("O") category defined under
<a href="#section-9.15">Section 9.15</a>.
o Punctuation characters, i.e., the Punctuation ("P") category
defined under <a href="#section-9.16">Section 9.16</a>.
o Any character that has a compatibility equivalent, i.e., the
HasCompat ("Q") category defined under <a href="#section-9.17">Section 9.17</a>. These code
points are disallowed even if they would otherwise be valid
according to the property-based rules specified in the previous
section.
o Letters and digits other than the "traditional" letters and digits
allowed in IDNs, i.e., the OtherLetterDigits ("R") category
defined under <a href="#section-9.18">Section 9.18</a>.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 10]</span><span id="page-11" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h4"><a class="selflink" id="section-4.2.4" href="#section-4.2.4">4.2.4</a>. Unassigned</span>
Any code points that are not yet designated in the Unicode character
set are considered unassigned for purposes of the IdentifierClass,
and such code points are to be treated as disallowed. See
<a href="#section-9.10">Section 9.10</a>.
<span class="h4"><a class="selflink" id="section-4.2.5" href="#section-4.2.5">4.2.5</a>. Examples</span>
As described in the Introduction to this document, the string classes
do not handle all issues related to string preparation and comparison
(such as case mapping); instead, such issues are handled at the level
of profiles. Examples for profiles of the IdentifierClass can be
found in [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>] (the UsernameCaseMapped and
UsernameCasePreserved profiles).
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. FreeformClass</span>
Some application technologies need strings that can be used in a
free-form way, e.g., as a password in an authentication exchange (see
[<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>]) or a nickname in a chatroom (see
[<a href="#ref-PRECIS-Nickname">PRECIS-Nickname</a>]). We group such things into a class called
"FreeformClass" having the following features.
Security Warning: As mentioned, the FreeformClass prioritizes
expressiveness over safety; <a href="#section-12.3">Section 12.3</a> describes some of the
security hazards involved with using or profiling the
FreeformClass.
Security Warning: Consult <a href="#section-12.6">Section 12.6</a> for relevant security
considerations when strings conforming to the FreeformClass, or a
profile thereof, are used as passwords.
<span class="h4"><a class="selflink" id="section-4.3.1" href="#section-4.3.1">4.3.1</a>. Valid</span>
o Traditional letters and numbers, i.e., the LetterDigits ("A")
category first defined in [<a href="./rfc5892" title=""The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)"">RFC5892</a>] and listed here under
<a href="#section-9.1">Section 9.1</a>.
o Letters and digits other than the "traditional" letters and digits
allowed in IDNs, i.e., the OtherLetterDigits ("R") category
defined under <a href="#section-9.18">Section 9.18</a>.
o Code points in the range U+0021 through U+007E, i.e., the
(printable) ASCII7 ("K") category defined under <a href="#section-9.11">Section 9.11</a>.
o Any character that has a compatibility equivalent, i.e., the
HasCompat ("Q") category defined under <a href="#section-9.17">Section 9.17</a>.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 11]</span><span id="page-12" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
o Space characters, i.e., the Spaces ("N") category defined under
<a href="#section-9.14">Section 9.14</a>.
o Symbol characters, i.e., the Symbols ("O") category defined under
<a href="#section-9.15">Section 9.15</a>.
o Punctuation characters, i.e., the Punctuation ("P") category
defined under <a href="#section-9.16">Section 9.16</a>.
<span class="h4"><a class="selflink" id="section-4.3.2" href="#section-4.3.2">4.3.2</a>. Contextual Rule Required</span>
o A number of characters from the Exceptions ("F") category defined
under <a href="#section-9.6">Section 9.6</a> (see <a href="#section-9.6">Section 9.6</a> for a full list).
o Joining characters, i.e., the JoinControl ("H") category defined
under <a href="#section-9.8">Section 9.8</a>.
<span class="h4"><a class="selflink" id="section-4.3.3" href="#section-4.3.3">4.3.3</a>. Disallowed</span>
o Old Hangul Jamo characters, i.e., the OldHangulJamo ("I") category
defined under <a href="#section-9.9">Section 9.9</a>.
o Control characters, i.e., the Controls ("L") category defined
under <a href="#section-9.12">Section 9.12</a>.
o Ignorable characters, i.e., the PrecisIgnorableProperties ("M")
category defined under <a href="#section-9.13">Section 9.13</a>.
<span class="h4"><a class="selflink" id="section-4.3.4" href="#section-4.3.4">4.3.4</a>. Unassigned</span>
Any code points that are not yet designated in the Unicode character
set are considered unassigned for purposes of the FreeformClass, and
such code points are to be treated as disallowed.
<span class="h4"><a class="selflink" id="section-4.3.5" href="#section-4.3.5">4.3.5</a>. Examples</span>
As described in the Introduction to this document, the string classes
do not handle all issues related to string preparation and comparison
(such as case mapping); instead, such issues are handled at the level
of profiles. Examples for profiles of the FreeformClass can be found
in [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>] (the OpaqueString profile) and
[<a href="#ref-PRECIS-Nickname">PRECIS-Nickname</a>] (the Nickname profile).
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 12]</span><span id="page-13" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Profiles</span>
This framework document defines the valid, contextual-rule-required,
disallowed, and unassigned rules for the IdentifierClass and the
FreeformClass. A profile of a PRECIS string class MUST define the
width mapping, additional mappings (if any), case mapping,
normalization, and directionality rules. A profile MAY also restrict
the allowable characters above and beyond the definition of the
relevant PRECIS string class (but MUST NOT add as valid any code
points that are disallowed by the relevant PRECIS string class).
These matters are discussed in the following subsections.
Profiles of the PRECIS string classes are registered with the IANA as
described under <a href="#section-11.3">Section 11.3</a>. Profile names use the following
convention: they are of the form "Profilename of BaseClass", where
the "Profilename" string is a differentiator and "BaseClass" is the
name of the PRECIS string class being profiled; for example, the
profile of the FreeformClass used for opaque strings such as
passwords is the OpaqueString profile [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>].
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Profiles Must Not Be Multiplied beyond Necessity</span>
The risk of profile proliferation is significant because having too
many profiles will result in different behavior across various
applications, thus violating what is known in user interface design
as the "Principle of Least Astonishment".
Indeed, we already have too many profiles. Ideally we would have at
most two or three profiles. Unfortunately, numerous application
protocols exist with their own quirks regarding protocol strings.
Domain names, email addresses, instant messaging addresses, chatroom
nicknames, filenames, authentication identifiers, passwords, and
other strings are already out there in the wild and need to be
supported in existing application protocols such as DNS, SMTP, the
Extensible Messaging and Presence Protocol (XMPP), Internet Relay
Chat (IRC), NFS, the Internet Small Computer System Interface
(iSCSI), the Extensible Authentication Protocol (EAP), and the Simple
Authentication and Security Layer (SASL), among others.
Nevertheless, profiles must not be multiplied beyond necessity.
To help prevent profile proliferation, this document recommends
sensible defaults for the various options offered to profile creators
(such as width mapping and Unicode normalization). In addition, the
guidelines for designated experts provided under <a href="#section-10">Section 10</a> are meant
to encourage a high level of due diligence regarding new profiles.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 13]</span><span id="page-14" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Rules</span>
<span class="h4"><a class="selflink" id="section-5.2.1" href="#section-5.2.1">5.2.1</a>. Width Mapping Rule</span>
The width mapping rule of a profile specifies whether width mapping
is performed on the characters of a string, and how the mapping is
done. Typically, such mapping consists of mapping fullwidth and
halfwidth characters, i.e., code points with a Decomposition Type of
Wide or Narrow, to their decomposition mappings; as an example,
FULLWIDTH DIGIT ZERO (U+FF10) would be mapped to DIGIT ZERO (U+0030).
The normalization form specified by a profile (see below) has an
impact on the need for width mapping. Because width mapping is
performed as a part of compatibility decomposition, a profile
employing either normalization form KD (NFKD) or normalization form
KC (NFKC) does not need to specify width mapping. However, if
Unicode normalization form C (NFC) is used (as is recommended) then
the profile needs to specify whether to apply width mapping; in this
case, width mapping is in general RECOMMENDED because allowing
fullwidth and halfwidth characters to remain unmapped to their
compatibility variants would violate the "Principle of Least
Astonishment". For more information about the concept of width in
East Asian scripts within Unicode, see Unicode Standard Annex #11
[<a href="#ref-UAX11" title=""East Asian Width"">UAX11</a>].
<span class="h4"><a class="selflink" id="section-5.2.2" href="#section-5.2.2">5.2.2</a>. Additional Mapping Rule</span>
The additional mapping rule of a profile specifies whether additional
mappings are performed on the characters of a string, such as:
Mapping of delimiter characters (such as '@', ':', '/', '+',
and '-')
Mapping of special characters (e.g., non-ASCII space characters to
ASCII space or control characters to nothing).
The PRECIS mappings document [<a href="#ref-PRECIS-Mappings">PRECIS-Mappings</a>] describes such
mappings in more detail.
<span class="h4"><a class="selflink" id="section-5.2.3" href="#section-5.2.3">5.2.3</a>. Case Mapping Rule</span>
The case mapping rule of a profile specifies whether case mapping
(instead of case preservation) is performed on the characters of a
string, and how the mapping is applied (e.g., mapping uppercase and
titlecase characters to their lowercase equivalents).
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 14]</span><span id="page-15" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
If case mapping is desired (instead of case preservation), it is
RECOMMENDED to use Unicode Default Case Folding as defined in the
Unicode Standard [<a href="#ref-Unicode" title=""The Unicode Standard"">Unicode</a>] (at the time of this writing, the
algorithm is specified in Chapter 3 of [<a href="#ref-Unicode7.0">Unicode7.0</a>]).
Note: Unicode Default Case Folding is not designed to handle
various localization issues (such as so-called "dotless i" in
several Turkic languages). The PRECIS mappings document
[<a href="#ref-PRECIS-Mappings">PRECIS-Mappings</a>] describes these issues in greater detail and
defines a "local case mapping" method that handles some locale-
dependent and context-dependent mappings.
In order to maximize entropy and minimize the potential for false
positives, it is NOT RECOMMENDED for application protocols to map
uppercase and titlecase code points to their lowercase equivalents
when strings conforming to the FreeformClass, or a profile thereof,
are used in passwords; instead, it is RECOMMENDED to preserve the
case of all code points contained in such strings and then perform
case-sensitive comparison. See also the related discussion in
<a href="#section-12.6">Section 12.6</a> and in [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>].
<span class="h4"><a class="selflink" id="section-5.2.4" href="#section-5.2.4">5.2.4</a>. Normalization Rule</span>
The normalization rule of a profile specifies which Unicode
normalization form (D, KD, C, or KC) is to be applied (see Unicode
Standard Annex #15 [<a href="#ref-UAX15" title=""Unicode Normalization Forms"">UAX15</a>] for background information).
In accordance with [<a href="./rfc5198" title=""Unicode Format for Network Interchange"">RFC5198</a>], normalization form C (NFC) is
RECOMMENDED.
<span class="h4"><a class="selflink" id="section-5.2.5" href="#section-5.2.5">5.2.5</a>. Directionality Rule</span>
The directionality rule of a profile specifies how to treat strings
containing what are often called "right-to-left" (RTL) characters
(see Unicode Standard Annex #9 [<a href="#ref-UAX9" title=""Unicode Bidirectional Algorithm"">UAX9</a>]). RTL characters come from
scripts that are normally written from right to left and are
considered by Unicode to, themselves, have right-to-left
directionality. Some strings containing RTL characters also contain
"left-to-right" (LTR) characters, such as numerals, as well as
characters without directional properties. Consequently, such
strings are known as "bidirectional strings".
Presenting bidirectional strings in different layout systems (e.g., a
user interface that is configured to handle primarily an RTL script
vs. an interface that is configured to handle primarily an LTR
script) can yield display results that, while predictable to those
who understand the display rules, are counter-intuitive to casual
users. In particular, the same bidirectional string (in PRECIS
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 15]</span><span id="page-16" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
terms) might not be presented in the same way to users of those
different layout systems, even though the presentation is consistent
within any particular layout system. In some applications, these
presentation differences might be considered problematic and thus the
application designers might wish to restrict the use of bidirectional
strings by specifying a directionality rule. In other applications,
these presentation differences might not be considered problematic
(this especially tends to be true of more "free-form" strings) and
thus no directionality rule is needed.
The PRECIS framework does not directly address how to deal with
bidirectional strings across all string classes and profiles, and
does not define any new directionality rules, since at present there
is no widely accepted and implemented solution for the safe display
of arbitrary bidirectional strings beyond the Unicode bidirectional
algorithm [<a href="#ref-UAX9" title=""Unicode Bidirectional Algorithm"">UAX9</a>]. Although rules for management and display of
bidirectional strings have been defined for domain name labels and
similar identifiers through the "Bidi Rule" specified in the IDNA2008
specification on right-to-left scripts [<a href="./rfc5893" title=""Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)"">RFC5893</a>], those rules are
quite restrictive and are not necessarily applicable to all
bidirectional strings.
The authors of a PRECIS profile might believe that they need to
define a new directionality rule of their own. Because of the
complexity of the issues involved, such a belief is almost always
misguided, even if the authors have done a great deal of careful
research into the challenges of displaying bidirectional strings.
This document strongly suggests that profile authors who are thinking
about defining a new directionality rule think again, and instead
consider using the "Bidi Rule" [<a href="./rfc5893" title=""Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)"">RFC5893</a>] (for profiles based on the
IdentifierClass) or following the Unicode bidirectional algorithm
[<a href="#ref-UAX9" title=""Unicode Bidirectional Algorithm"">UAX9</a>] (for profiles based on the FreeformClass or in situations
where the IdentifierClass is not appropriate).
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. A Note about Spaces</span>
With regard to the IdentifierClass, the consensus of the PRECIS
Working Group was that spaces are problematic for many reasons,
including the following:
o Many Unicode characters are confusable with ASCII space.
o Even if non-ASCII space characters are mapped to ASCII space
(U+0020), space characters are often not rendered in user
interfaces, leading to the possibility that a human user might
consider a string containing spaces to be equivalent to the same
string without spaces.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 16]</span><span id="page-17" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
o In some locales, some devices are known to generate a character
other than ASCII space (such as ZERO WIDTH JOINER, U+200D) when a
user performs an action like hitting the space bar on a keyboard.
One consequence of disallowing space characters in the
IdentifierClass might be to effectively discourage their use within
identifiers created in newer application protocols; given the
challenges involved with properly handling space characters
(especially non-ASCII space characters) in identifiers and other
protocol strings, the PRECIS Working Group considered this to be a
feature, not a bug.
However, the FreeformClass does allow spaces, which enables
application protocols to define profiles of the FreeformClass that
are more flexible than any profiles of the IdentifierClass. In
addition, as explained in <a href="#section-6.3">Section 6.3</a>, application protocols can also
define application-layer constructs containing spaces.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Applications</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. How to Use PRECIS in Applications</span>
Although PRECIS has been designed with applications in mind,
internationalization is not suddenly made easy through the use of
PRECIS. Application developers still need to give some thought to
how they will use the PRECIS string classes, or profiles thereof, in
their applications. This section provides some guidelines to
application developers (and to expert reviewers of application
protocol specifications).
o Don't define your own profile unless absolutely necessary (see
<a href="#section-5.1">Section 5.1</a>). Existing profiles have been designed for wide
reuse. It is highly likely that an existing profile will meet
your needs, especially given the ability to specify further
excluded characters (<a href="#section-6.2">Section 6.2</a>) and to build application-layer
constructs (see <a href="#section-6.3">Section 6.3</a>).
o Do specify:
* Exactly which entities are responsible for preparation,
enforcement, and comparison of internationalized strings (e.g.,
servers or clients).
* Exactly when those entities need to complete their tasks (e.g.,
a server might need to enforce the rules of a profile before
allowing a client to gain network access).
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 17]</span><span id="page-18" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
* Exactly which protocol slots need to be checked against which
profiles (e.g., checking the address of a message's intended
recipient against the UsernameCaseMapped profile
[<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>] of the IdentifierClass, or checking the
password of a user against the OpaqueString profile
[<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>] of the FreeformClass).
See [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>] and [<a href="#ref-XMPP-Addr-Format">XMPP-Addr-Format</a>] for definitions of
these matters for several applications.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Further Excluded Characters</span>
An application protocol that uses a profile MAY specify particular
code points that are not allowed in relevant slots within that
application protocol, above and beyond those excluded by the string
class or profile.
That is, an application protocol MAY do either of the following:
1. Exclude specific code points that are allowed by the relevant
string class.
2. Exclude characters matching certain Unicode properties (e.g.,
math symbols) that are included in the relevant PRECIS string
class.
As a result of such exclusions, code points that are defined as valid
for the PRECIS string class or profile will be defined as disallowed
for the relevant protocol slot.
Typically, such exclusions are defined for the purpose of backward
compatibility with legacy formats within an application protocol.
These are defined for application protocols, not profiles, in order
to prevent multiplication of profiles beyond necessity (see
<a href="#section-5.1">Section 5.1</a>).
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Building Application-Layer Constructs</span>
Sometimes, an application-layer construct does not map in a
straightforward manner to one of the base string classes or a profile
thereof. Consider, for example, the "simple user name" construct in
the Simple Authentication and Security Layer (SASL) [<a href="./rfc4422" title=""Simple Authentication and Security Layer (SASL)"">RFC4422</a>].
Depending on the deployment, a simple user name might take the form
of a user's full name (e.g., the user's personal name followed by a
space and then the user's family name). Such a simple user name
cannot be defined as an instance of the IdentifierClass or a profile
thereof, since space characters are not allowed in the
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 18]</span><span id="page-19" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
IdentifierClass; however, it could be defined using a space-separated
sequence of IdentifierClass instances, as in the following ABNF
[<a href="./rfc5234" title=""Augmented BNF for Syntax Specifications: ABNF"">RFC5234</a>] from [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>]:
username = userpart *(1*SP userpart)
userpart = 1*(idbyte)
;
; an "idbyte" is a byte used to represent a
; UTF-8 encoded Unicode code point that can be
; contained in a string that conforms to the
; PRECIS "IdentifierClass"
;
Similar techniques could be used to define many application-layer
constructs, say of the form "user@domain" or "/path/to/file".
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Order of Operations</span>
To ensure proper comparison, the rules specified for a particular
string class or profile MUST be applied in the following order:
1. Width Mapping Rule
2. Additional Mapping Rule
3. Case Mapping Rule
4. Normalization Rule
5. Directionality Rule
6. Behavioral rules for determining whether a code point is valid,
allowed under a contextual rule, disallowed, or unassigned
As already described, the width mapping, additional mapping, case
mapping, normalization, and directionality rules are specified for
each profile, whereas the behavioral rules are specified for each
string class. Some of the logic behind this order is provided under
<a href="#section-5.2.1">Section 5.2.1</a> (see also the PRECIS mappings document
[<a href="#ref-PRECIS-Mappings">PRECIS-Mappings</a>]).
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 19]</span><span id="page-20" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Code Point Properties</span>
In order to implement the string classes described above, this
document does the following:
1. Reviews and classifies the collections of code points in the
Unicode character set by examining various code point properties.
2. Defines an algorithm for determining a derived property value,
which can vary depending on the string class being used by the
relevant application protocol.
This document is not intended to specify precisely how derived
property values are to be applied in protocol strings. That
information is the responsibility of the protocol specification that
uses or profiles a PRECIS string class from this document. The value
of the property is to be interpreted as follows.
PROTOCOL VALID Those code points that are allowed to be used in any
PRECIS string class (currently, IdentifierClass and
FreeformClass). The abbreviated term "PVALID" is used to refer to
this value in the remainder of this document.
SPECIFIC CLASS PROTOCOL VALID Those code points that are allowed to
be used in specific string classes. In the remainder of this
document, the abbreviated term *_PVAL is used, where * = (ID |
FREE), i.e., either "FREE_PVAL" or "ID_PVAL". In practice, the
derived property ID_PVAL is not used in this specification, since
every ID_PVAL code point is PVALID.
CONTEXTUAL RULE REQUIRED Some characteristics of the character, such
as its being invisible in certain contexts or problematic in
others, require that it not be used in labels unless specific
other characters or properties are present. As in IDNA2008, there
are two subdivisions of CONTEXTUAL RULE REQUIRED -- the first for
Join_controls (called "CONTEXTJ") and the second for other
characters (called "CONTEXTO"). A character with the derived
property value CONTEXTJ or CONTEXTO MUST NOT be used unless an
appropriate rule has been established and the context of the
character is consistent with that rule. The most notable of the
CONTEXTUAL RULE REQUIRED characters are the Join Control
characters U+200D ZERO WIDTH JOINER and U+200C ZERO WIDTH
NON-JOINER, which have a derived property value of CONTEXTJ. See
<a href="./rfc5892#appendix-A">Appendix A of [RFC5892]</a> for more information.
DISALLOWED Those code points that are not permitted in any PRECIS
string class.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 20]</span><span id="page-21" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
SPECIFIC CLASS DISALLOWED Those code points that are not to be
included in one of the string classes but that might be permitted
in others. In the remainder of this document, the abbreviated
term *_DIS is used, where * = (ID | FREE), i.e., either "FREE_DIS"
or "ID_DIS". In practice, the derived property FREE_DIS is not
used in this specification, since every FREE_DIS code point is
DISALLOWED.
UNASSIGNED Those code points that are not designated (i.e., are
unassigned) in the Unicode Standard.
The algorithm to calculate the value of the derived property is as
follows (implementations MUST NOT modify the order of operations
within this algorithm, since doing so would cause inconsistent
results across implementations):
If .cp. .in. Exceptions Then Exceptions(cp);
Else If .cp. .in. BackwardCompatible Then BackwardCompatible(cp);
Else If .cp. .in. Unassigned Then UNASSIGNED;
Else If .cp. .in. ASCII7 Then PVALID;
Else If .cp. .in. JoinControl Then CONTEXTJ;
Else If .cp. .in. OldHangulJamo Then DISALLOWED;
Else If .cp. .in. PrecisIgnorableProperties Then DISALLOWED;
Else If .cp. .in. Controls Then DISALLOWED;
Else If .cp. .in. HasCompat Then ID_DIS or FREE_PVAL;
Else If .cp. .in. LetterDigits Then PVALID;
Else If .cp. .in. OtherLetterDigits Then ID_DIS or FREE_PVAL;
Else If .cp. .in. Spaces Then ID_DIS or FREE_PVAL;
Else If .cp. .in. Symbols Then ID_DIS or FREE_PVAL;
Else If .cp. .in. Punctuation Then ID_DIS or FREE_PVAL;
Else DISALLOWED;
The value of the derived property calculated can depend on the string
class; for example, if an identifier used in an application protocol
is defined as profiling the PRECIS IdentifierClass then a space
character such as U+0020 would be assigned to ID_DIS, whereas if an
identifier is defined as profiling the PRECIS FreeformClass then the
character would be assigned to FREE_PVAL. For the sake of brevity,
the designation "FREE_PVAL" is used herein, instead of the longer
designation "ID_DIS or FREE_PVAL". In practice, the derived
properties ID_PVAL and FREE_DIS are not used in this specification,
since every ID_PVAL code point is PVALID and every FREE_DIS code
point is DISALLOWED.
Use of the name of a rule (such as "Exceptions") implies the set of
code points that the rule defines, whereas the same name as a
function call (such as "Exceptions(cp)") implies the value that the
code point has in the Exceptions table.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 21]</span><span id="page-22" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
The mechanisms described here allow determination of the value of the
property for future versions of Unicode (including characters added
after Unicode 5.2 or 7.0 depending on the category, since some
categories mentioned in this document are simply pointers to IDNA2008
and therefore were defined at the time of Unicode 5.2). Changes in
Unicode properties that do not affect the outcome of this process
therefore do not affect this framework. For example, a character can
have its Unicode General_Category value (at the time of this writing,
see Chapter 4 of [<a href="#ref-Unicode7.0">Unicode7.0</a>]) change from So to Sm, or from Lo to
Ll, without affecting the algorithm results. Moreover, even if such
changes were to result, the BackwardCompatible list (<a href="#section-9.7">Section 9.7</a>) can
be adjusted to ensure the stability of the results.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Category Definitions Used to Calculate Derived Property</span>
The derived property obtains its value based on a two-step procedure:
1. Characters are placed in one or more character categories either
(1) based on core properties defined by the Unicode Standard or
(2) by treating the code point as an exception and addressing the
code point based on its code point value. These categories are
not mutually exclusive.
2. Set operations are used with these categories to determine the
values for a property specific to a given string class. These
operations are specified under <a href="#section-8">Section 8</a>.
Note: Unicode property names and property value names might have
short abbreviations, such as "gc" for the General_Category
property and "Ll" for the Lowercase_Letter property value of the
gc property.
In the following specification of character categories, the operation
that returns the value of a particular Unicode character property for
a code point is designated by using the formal name of that property
(from the Unicode PropertyAliases.txt file [<a href="#ref-PropertyAliases">PropertyAliases</a>] followed
by "(cp)" for "code point". For example, the value of the
General_Category property for a code point is indicated by
General_Category(cp).
The first ten categories (A-J) shown below were previously defined
for IDNA2008 and are referenced from [<a href="./rfc5892" title=""The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)"">RFC5892</a>] to ease the
understanding of how PRECIS handles various characters. Some of
these categories are reused in PRECIS, and some of them are not;
however, the lettering of categories is retained to prevent overlap
and to ease implementation of both IDNA2008 and PRECIS in a single
software application. The next eight categories (K-R) are specific
to PRECIS.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 22]</span><span id="page-23" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>. LetterDigits (A)</span>
This category is defined in <a href="./rfc5892#section-2.1">Section 2.1 of [RFC5892]</a> and is included
by reference for use in PRECIS.
<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>. Unstable (B)</span>
This category is defined in <a href="./rfc5892#section-2.2">Section 2.2 of [RFC5892]</a>. However, it is
not used in PRECIS.
<span class="h3"><a class="selflink" id="section-9.3" href="#section-9.3">9.3</a>. IgnorableProperties (C)</span>
This category is defined in <a href="./rfc5892#section-2.3">Section 2.3 of [RFC5892]</a>. However, it is
not used in PRECIS.
Note: See the PrecisIgnorableProperties ("M") category below for a
more inclusive category used in PRECIS identifiers.
<span class="h3"><a class="selflink" id="section-9.4" href="#section-9.4">9.4</a>. IgnorableBlocks (D)</span>
This category is defined in <a href="./rfc5892#section-2.4">Section 2.4 of [RFC5892]</a>. However, it is
not used in PRECIS.
<span class="h3"><a class="selflink" id="section-9.5" href="#section-9.5">9.5</a>. LDH (E)</span>
This category is defined in <a href="./rfc5892#section-2.5">Section 2.5 of [RFC5892]</a>. However, it is
not used in PRECIS.
Note: See the ASCII7 ("K") category below for a more inclusive
category used in PRECIS identifiers.
<span class="h3"><a class="selflink" id="section-9.6" href="#section-9.6">9.6</a>. Exceptions (F)</span>
This category is defined in <a href="./rfc5892#section-2.6">Section 2.6 of [RFC5892]</a> and is included
by reference for use in PRECIS.
<span class="h3"><a class="selflink" id="section-9.7" href="#section-9.7">9.7</a>. BackwardCompatible (G)</span>
This category is defined in <a href="./rfc5892#section-2.7">Section 2.7 of [RFC5892]</a> and is included
by reference for use in PRECIS.
Note: Management of this category is handled via the processes
specified in [<a href="./rfc5892" title=""The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)"">RFC5892</a>]. At the time of this writing (and also at the
time that <a href="./rfc5892">RFC 5892</a> was published), this category consisted of the
empty set; however, that is subject to change as described in
<a href="./rfc5892">RFC 5892</a>.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 23]</span><span id="page-24" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h3"><a class="selflink" id="section-9.8" href="#section-9.8">9.8</a>. JoinControl (H)</span>
This category is defined in <a href="./rfc5892#section-2.8">Section 2.8 of [RFC5892]</a> and is included
by reference for use in PRECIS.
<span class="h3"><a class="selflink" id="section-9.9" href="#section-9.9">9.9</a>. OldHangulJamo (I)</span>
This category is defined in <a href="./rfc5892#section-2.9">Section 2.9 of [RFC5892]</a> and is included
by reference for use in PRECIS.
<span class="h3"><a class="selflink" id="section-9.10" href="#section-9.10">9.10</a>. Unassigned (J)</span>
This category is defined in <a href="./rfc5892#section-2.10">Section 2.10 of [RFC5892]</a> and is included
by reference for use in PRECIS.
<span class="h3"><a class="selflink" id="section-9.11" href="#section-9.11">9.11</a>. ASCII7 (K)</span>
This PRECIS-specific category consists of all printable, non-space
characters from the 7-bit ASCII range. By applying this category,
the algorithm specified under <a href="#section-8">Section 8</a> exempts these characters from
other rules that might be applied during PRECIS processing, on the
assumption that these code points are in such wide use that
disallowing them would be counter-productive.
K: cp is in {0021..007E}
<span class="h3"><a class="selflink" id="section-9.12" href="#section-9.12">9.12</a>. Controls (L)</span>
This PRECIS-specific category consists of all control characters.
L: Control(cp) = True
<span class="h3"><a class="selflink" id="section-9.13" href="#section-9.13">9.13</a>. PrecisIgnorableProperties (M)</span>
This PRECIS-specific category is used to group code points that are
discouraged from use in PRECIS string classes.
M: Default_Ignorable_Code_Point(cp) = True or
Noncharacter_Code_Point(cp) = True
The definition for Default_Ignorable_Code_Point can be found in the
DerivedCoreProperties.txt file [<a href="#ref-DerivedCoreProperties">DerivedCoreProperties</a>].
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 24]</span><span id="page-25" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h3"><a class="selflink" id="section-9.14" href="#section-9.14">9.14</a>. Spaces (N)</span>
This PRECIS-specific category is used to group code points that are
space characters.
N: General_Category(cp) is in {Zs}
<span class="h3"><a class="selflink" id="section-9.15" href="#section-9.15">9.15</a>. Symbols (O)</span>
This PRECIS-specific category is used to group code points that are
symbols.
O: General_Category(cp) is in {Sm, Sc, Sk, So}
<span class="h3"><a class="selflink" id="section-9.16" href="#section-9.16">9.16</a>. Punctuation (P)</span>
This PRECIS-specific category is used to group code points that are
punctuation characters.
P: General_Category(cp) is in {Pc, Pd, Ps, Pe, Pi, Pf, Po}
<span class="h3"><a class="selflink" id="section-9.17" href="#section-9.17">9.17</a>. HasCompat (Q)</span>
This PRECIS-specific category is used to group code points that have
compatibility equivalents as explained in the Unicode Standard (at
the time of this writing, see Chapters 2 and 3 of [<a href="#ref-Unicode7.0">Unicode7.0</a>]).
Q: toNFKC(cp) != cp
The toNFKC() operation returns the code point in normalization
form KC. For more information, see <a href="#section-5">Section 5</a> of Unicode Standard
Annex #15 [<a href="#ref-UAX15" title=""Unicode Normalization Forms"">UAX15</a>].
<span class="h3"><a class="selflink" id="section-9.18" href="#section-9.18">9.18</a>. OtherLetterDigits (R)</span>
This PRECIS-specific category is used to group code points that are
letters and digits other than the "traditional" letters and digits
grouped under the LetterDigits (A) class (see <a href="#section-9.1">Section 9.1</a>).
R: General_Category(cp) is in {Lt, Nl, No, Me}
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 25]</span><span id="page-26" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Guidelines for Designated Experts</span>
Experience with internationalization in application protocols has
shown that protocol designers and application developers usually do
not understand the subtleties and tradeoffs involved with
internationalization and that they need considerable guidance in
making reasonable decisions with regard to the options before them.
Therefore:
o Protocol designers are strongly encouraged to question the
assumption that they need to define new profiles, since existing
profiles are designed for wide reuse (see <a href="#section-5">Section 5</a> for further
discussion).
o Those who persist in defining new profiles are strongly encouraged
to clearly explain a strong justification for doing so, and to
publish a stable specification that provides all of the
information described under <a href="#section-11.3">Section 11.3</a>.
o The designated experts for profile registration requests ought to
seek answers to all of the questions provided under <a href="#section-11.3">Section 11.3</a>
and to encourage applicants to provide a stable specification
documenting the profile (even though the registration policy for
PRECIS profiles is Expert Review and a stable specification is not
strictly required).
o Developers of applications that use PRECIS are strongly encouraged
to apply the guidelines provided under <a href="#section-6">Section 6</a> and to seek out
the advice of the designated experts or other knowledgeable
individuals in doing so.
o All parties are strongly encouraged to help prevent the
multiplication of profiles beyond necessity, as described under
<a href="#section-5.1">Section 5.1</a>, and to use PRECIS in ways that will minimize user
confusion and insecure application behavior.
Internationalization can be difficult and contentious; designated
experts, profile registrants, and application developers are strongly
encouraged to work together in a spirit of good faith and mutual
understanding to achieve rough consensus on profile registration
requests and the use of PRECIS in particular applications. They are
also encouraged to bring additional expertise into the discussion if
that would be helpful in adding perspective or otherwise resolving
issues.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 26]</span><span id="page-27" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. IANA Considerations</span>
<span class="h3"><a class="selflink" id="section-11.1" href="#section-11.1">11.1</a>. PRECIS Derived Property Value Registry</span>
IANA has created and now maintains the "PRECIS Derived Property
Value" registry that records the derived properties for the versions
of Unicode that are released after (and including) version 7.0. The
derived property value is to be calculated in cooperation with a
designated expert [<a href="./rfc5226" title="">RFC5226</a>] according to the rules specified under
Sections <a href="#section-8">8</a> and <a href="#section-9">9</a>.
The IESG is to be notified if backward-incompatible changes to the
table of derived properties are discovered or if other problems arise
during the process of creating the table of derived property values
or during expert review. Changes to the rules defined under
Sections <a href="#section-8">8</a> and <a href="#section-9">9</a> require IETF Review.
<span class="h3"><a class="selflink" id="section-11.2" href="#section-11.2">11.2</a>. PRECIS Base Classes Registry</span>
IANA has created the "PRECIS Base Classes" registry. In accordance
with [<a href="./rfc5226" title="">RFC5226</a>], the registration policy is "RFC Required".
The registration template is as follows:
Base Class: [the name of the PRECIS string class]
Description: [a brief description of the PRECIS string class and its
intended use, e.g., "A sequence of letters, numbers, and symbols
that is used to identify or address a network entity."]
Specification: [the RFC number]
The initial registrations are as follows:
Base Class: FreeformClass.
Description: A sequence of letters, numbers, symbols, spaces, and
other code points that is used for free-form strings.
Specification: <a href="./rfc7564#section-4.3">Section 4.3 of RFC 7564</a>.
Base Class: IdentifierClass.
Description: A sequence of letters, numbers, and symbols that is
used to identify or address a network entity.
Specification: <a href="./rfc7564#section-4.2">Section 4.2 of RFC 7564</a>.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 27]</span><span id="page-28" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
<span class="h3"><a class="selflink" id="section-11.3" href="#section-11.3">11.3</a>. PRECIS Profiles Registry</span>
IANA has created the "PRECIS Profiles" registry to identify profiles
that use the PRECIS string classes. In accordance with [<a href="./rfc5226" title="">RFC5226</a>],
the registration policy is "Expert Review". This policy was chosen
in order to ease the burden of registration while ensuring that
"customers" of PRECIS receive appropriate guidance regarding the
sometimes complex and subtle internationalization issues related to
profiles of PRECIS string classes.
The registration template is as follows:
Name: [the name of the profile]
Base Class: [which PRECIS string class is being profiled]
Applicability: [the specific protocol elements to which this profile
applies, e.g., "Localparts in XMPP addresses."]
Replaces: [the Stringprep profile that this PRECIS profile replaces,
if any]
Width Mapping Rule: [the behavioral rule for handling of width,
e.g., "Map fullwidth and halfwidth characters to their
compatibility variants."]
Additional Mapping Rule: [any additional mappings that are required
or recommended, e.g., "Map non-ASCII space characters to ASCII
space."]
Case Mapping Rule: [the behavioral rule for handling of case, e.g.,
"Unicode Default Case Folding"]
Normalization Rule: [which Unicode normalization form is applied,
e.g., "NFC"]
Directionality Rule: [the behavioral rule for handling of right-to-
left code points, e.g., "The 'Bidi Rule' defined in <a href="./rfc5893">RFC 5893</a>
applies."]
Enforcement: [which entities enforce the rules, and when that
enforcement occurs during protocol operations]
Specification: [a pointer to relevant documentation, such as an RFC
or Internet-Draft]
In order to request a review, the registrant shall send a completed
template to the [email protected] list or its designated successor.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 28]</span><span id="page-29" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
Factors to focus on while defining profiles and reviewing profile
registrations include the following:
o Would an existing PRECIS string class or profile solve the
problem? If not, why not? (See <a href="#section-5.1">Section 5.1</a> for related
considerations.)
o Is the problem being addressed by this profile well defined?
o Does the specification define what kinds of applications are
involved and the protocol elements to which this profile applies?
o Is the profile clearly defined?
o Is the profile based on an appropriate dividing line between user
interface (culture, context, intent, locale, device limitations,
etc.) and the use of conformant strings in protocol elements?
o Are the width mapping, case mapping, additional mappings,
normalization, and directionality rules appropriate for the
intended use?
o Does the profile explain which entities enforce the rules, and
when such enforcement occurs during protocol operations?
o Does the profile reduce the degree to which human users could be
surprised or confused by application behavior (the "Principle of
Least Astonishment")?
o Does the profile introduce any new security concerns such as those
described under <a href="#section-12">Section 12</a> of this document (e.g., false positives
for authentication or authorization)?
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-12.1" href="#section-12.1">12.1</a>. General Issues</span>
If input strings that appear "the same" to users are programmatically
considered to be distinct in different systems, or if input strings
that appear distinct to users are programmatically considered to be
"the same" in different systems, then users can be confused. Such
confusion can have security implications, such as the false positives
and false negatives discussed in [<a href="./rfc6943" title=""Issues in Identifier Comparison for Security Purposes"">RFC6943</a>]. One starting goal of
work on the PRECIS framework was to limit the number of times that
users are confused (consistent with the "Principle of Least
Astonishment"). Unfortunately, this goal has been difficult to
achieve given the large number of application protocols already in
existence. Despite these difficulties, profiles should not be
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 29]</span><span id="page-30" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
multiplied beyond necessity (see <a href="#section-5.1">Section 5.1</a>). In particular,
application protocol designers should think long and hard before
defining a new profile instead of using one that has already been
defined, and if they decide to define a new profile then they should
clearly explain their reasons for doing so.
The security of applications that use this framework can depend in
part on the proper preparation, enforcement, and comparison of
internationalized strings. For example, such strings can be used to
make authentication and authorization decisions, and the security of
an application could be compromised if an entity providing a given
string is connected to the wrong account or online resource based on
different interpretations of the string (again, see [<a href="./rfc6943" title=""Issues in Identifier Comparison for Security Purposes"">RFC6943</a>]).
Specifications of application protocols that use this framework are
strongly encouraged to describe how internationalized strings are
used in the protocol, including the security implications of any
false positives and false negatives that might result from various
enforcement and comparison operations. For some helpful guidelines,
refer to [<a href="./rfc6943" title=""Issues in Identifier Comparison for Security Purposes"">RFC6943</a>], [<a href="./rfc5890" title=""Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework"">RFC5890</a>], [<a href="#ref-UTR36" title=""Unicode Security Considerations"">UTR36</a>], and [<a href="#ref-UTS39" title=""Unicode Security Mechanisms"">UTS39</a>].
<span class="h3"><a class="selflink" id="section-12.2" href="#section-12.2">12.2</a>. Use of the IdentifierClass</span>
Strings that conform to the IdentifierClass and any profile thereof
are intended to be relatively safe for use in a broad range of
applications, primarily because they include only letters, digits,
and "grandfathered" non-space characters from the ASCII range; thus,
they exclude spaces, characters with compatibility equivalents, and
almost all symbols and punctuation marks. However, because such
strings can still include so-called confusable characters (see
<a href="#section-12.5">Section 12.5</a>), protocol designers and implementers are encouraged to
pay close attention to the security considerations described
elsewhere in this document.
<span class="h3"><a class="selflink" id="section-12.3" href="#section-12.3">12.3</a>. Use of the FreeformClass</span>
Strings that conform to the FreeformClass and many profiles thereof
can include virtually any Unicode character. This makes the
FreeformClass quite expressive, but also problematic from the
perspective of possible user confusion. Protocol designers are
hereby warned that the FreeformClass contains code points they might
not understand, and are encouraged to profile the IdentifierClass
wherever feasible; however, if an application protocol requires more
code points than are allowed by the IdentifierClass, protocol
designers are encouraged to define a profile of the FreeformClass
that restricts the allowable code points as tightly as possible.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 30]</span><span id="page-31" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
(The PRECIS Working Group considered the option of allowing
"superclasses" as well as profiles of PRECIS string classes, but
decided against allowing superclasses to reduce the likelihood of
security and interoperability problems.)
<span class="h3"><a class="selflink" id="section-12.4" href="#section-12.4">12.4</a>. Local Character Set Issues</span>
When systems use local character sets other than ASCII and Unicode,
this specification leaves the problem of converting between the local
character set and Unicode up to the application or local system. If
different applications (or different versions of one application)
implement different rules for conversions among coded character sets,
they could interpret the same name differently and contact different
application servers or other network entities. This problem is not
solved by security protocols, such as Transport Layer Security (TLS)
[<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] and the Simple Authentication and Security Layer (SASL)
[<a href="./rfc4422" title=""Simple Authentication and Security Layer (SASL)"">RFC4422</a>], that do not take local character sets into account.
<span class="h3"><a class="selflink" id="section-12.5" href="#section-12.5">12.5</a>. Visually Similar Characters</span>
Some characters are visually similar and thus can cause confusion
among humans. Such characters are often called "confusable
characters" or "confusables".
The problem of confusable characters is not necessarily caused by the
use of Unicode code points outside the ASCII range. For example, in
some presentations and to some individuals the string "ju1iet"
(spelled with DIGIT ONE, U+0031, as the third character) might appear
to be the same as "juliet" (spelled with LATIN SMALL LETTER L,
U+006C), especially on casual visual inspection. This phenomenon is
sometimes called "typejacking".
However, the problem is made more serious by introducing the full
range of Unicode code points into protocol strings. For example, the
characters U+13DA U+13A2 U+13B5 U+13AC U+13A2 U+13AC U+13D2 from the
Cherokee block look similar to the ASCII characters "STPETER" as they
might appear when presented using a "creative" font family.
In some examples of confusable characters, it is unlikely that the
average human could tell the difference between the real string and
the fake string. (Indeed, there is no programmatic way to
distinguish with full certainty which is the fake string and which is
the real string; in some contexts, the string formed of Cherokee
characters might be the real string and the string formed of ASCII
characters might be the fake string.) Because PRECIS-compliant
strings can contain almost any properly encoded Unicode code point,
it can be relatively easy to fake or mimic some strings in systems
that use the PRECIS framework. The fact that some strings are easily
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 31]</span><span id="page-32" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
confused introduces security vulnerabilities of the kind that have
also plagued the World Wide Web, specifically the phenomenon known as
phishing.
Despite the fact that some specific suggestions about identification
and handling of confusable characters appear in the Unicode Security
Considerations [<a href="#ref-UTR36" title=""Unicode Security Considerations"">UTR36</a>] and the Unicode Security Mechanisms [<a href="#ref-UTS39" title=""Unicode Security Mechanisms"">UTS39</a>],
it is also true (as noted in [<a href="./rfc5890" title=""Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework"">RFC5890</a>]) that "there are no
comprehensive technical solutions to the problems of confusable
characters." Because it is impossible to map visually similar
characters without a great deal of context (such as knowing the font
families used), the PRECIS framework does nothing to map similar-
looking characters together, nor does it prohibit some characters
because they look like others.
Nevertheless, specifications for application protocols that use this
framework are strongly encouraged to describe how confusable
characters can be abused to compromise the security of systems that
use the protocol in question, along with any protocol-specific
suggestions for overcoming those threats. In particular, software
implementations and service deployments that use PRECIS-based
technologies are strongly encouraged to define and implement
consistent policies regarding the registration, storage, and
presentation of visually similar characters. The following
recommendations are appropriate:
1. An application service SHOULD define a policy that specifies the
scripts or blocks of characters that the service will allow to be
registered (e.g., in an account name) or stored (e.g., in a
filename). Such a policy SHOULD be informed by the languages and
scripts that are used to write registered account names; in
particular, to reduce confusion, the service SHOULD forbid
registration or storage of strings that contain characters from
more than one script and SHOULD restrict registrations to
characters drawn from a very small number of scripts (e.g.,
scripts that are well understood by the administrators of the
service, to improve manageability).
2. User-oriented application software SHOULD define a policy that
specifies how internationalized strings will be presented to a
human user. Because every human user of such software has a
preferred language or a small set of preferred languages, the
software SHOULD gather that information either explicitly from
the user or implicitly via the operating system of the user's
device. Furthermore, because most languages are typically
represented by a single script or a small set of scripts, and
because most scripts are typically contained in one or more
blocks of characters, the software SHOULD warn the user when
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 32]</span><span id="page-33" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
presenting a string that mixes characters from more than one
script or block, or that uses characters outside the normal range
of the user's preferred language(s). (Such a recommendation is
not intended to discourage communication across different
communities of language users; instead, it recognizes the
existence of such communities and encourages due caution when
presenting unfamiliar scripts or characters to human users.)
The challenges inherent in supporting the full range of Unicode code
points have in the past led some to hope for a way to
programmatically negotiate more restrictive ranges based on locale,
script, or other relevant factors; to tag the locale associated with
a particular string; etc. As a general-purpose internationalization
technology, the PRECIS framework does not include such mechanisms.
<span class="h3"><a class="selflink" id="section-12.6" href="#section-12.6">12.6</a>. Security of Passwords</span>
Two goals of passwords are to maximize the amount of entropy and to
minimize the potential for false positives. These goals can be
achieved in part by allowing a wide range of code points and by
ensuring that passwords are handled in such a way that code points
are not compared aggressively. Therefore, it is NOT RECOMMENDED for
application protocols to profile the FreeformClass for use in
passwords in a way that removes entire categories (e.g., by
disallowing symbols or punctuation). Furthermore, it is NOT
RECOMMENDED for application protocols to map uppercase and titlecase
code points to their lowercase equivalents in such strings; instead,
it is RECOMMENDED to preserve the case of all code points contained
in such strings and to compare them in a case-sensitive manner.
That said, software implementers need to be aware that there exist
tradeoffs between entropy and usability. For example, allowing a
user to establish a password containing "uncommon" code points might
make it difficult for the user to access a service when using an
unfamiliar or constrained input device.
Some application protocols use passwords directly, whereas others
reuse technologies that themselves process passwords (one example of
such a technology is the Simple Authentication and Security Layer
[<a href="./rfc4422" title=""Simple Authentication and Security Layer (SASL)"">RFC4422</a>]). Moreover, passwords are often carried by a sequence of
protocols with backend authentication systems or data storage systems
such as RADIUS [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] and the Lightweight Directory Access
Protocol (LDAP) [<a href="./rfc4510" title=""Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map"">RFC4510</a>]. Developers of application protocols are
encouraged to look into reusing these profiles instead of defining
new ones, so that end-user expectations about passwords are
consistent no matter which application protocol is used.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 33]</span><span id="page-34" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
In protocols that provide passwords as input to a cryptographic
algorithm such as a hash function, the client will need to perform
proper preparation of the password before applying the algorithm,
since the password is not available to the server in plaintext form.
Further discussion of password handling can be found in
[<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>].
<span class="h2"><a class="selflink" id="section-13" href="#section-13">13</a>. Interoperability Considerations</span>
<span class="h3"><a class="selflink" id="section-13.1" href="#section-13.1">13.1</a>. Encoding</span>
Although strings that are consumed in PRECIS-based application
protocols are often encoded using UTF-8 [<a href="./rfc3629" title=""UTF-8, a transformation format of ISO 10646"">RFC3629</a>], the exact encoding
is a matter for the application protocol that uses PRECIS, not for
the PRECIS framework.
<span class="h3"><a class="selflink" id="section-13.2" href="#section-13.2">13.2</a>. Character Sets</span>
It is known that some existing systems are unable to support the full
Unicode character set, or even any characters outside the ASCII
range. If two (or more) applications need to interoperate when
exchanging data (e.g., for the purpose of authenticating a username
or password), they will naturally need to have in common at least one
coded character set (as defined by [<a href="./rfc6365" title=""Terminology Used in Internationalization in the IETF"">RFC6365</a>]). Establishing such a
baseline is a matter for the application protocol that uses PRECIS,
not for the PRECIS framework.
<span class="h3"><a class="selflink" id="section-13.3" href="#section-13.3">13.3</a>. Unicode Versions</span>
Changes to the properties of Unicode code points can occur as the
Unicode Standard is modified from time to time. For example, three
code points underwent changes in their GeneralCategory between
Unicode 5.2 (current at the time IDNA2008 was originally published)
and Unicode 6.0, as described in [<a href="./rfc6452" title=""The Unicode Code Points and Internationalized Domain Names for Applications (IDNA) - Unicode 6.0"">RFC6452</a>]. Implementers might need
to be aware that the treatment of these characters differs depending
on which version of Unicode is available on the system that is using
IDNA2008 or PRECIS. Other such differences might arise between the
version of Unicode current at the time of this writing (7.0) and
future versions.
<span class="h3"><a class="selflink" id="section-13.4" href="#section-13.4">13.4</a>. Potential Changes to Handling of Certain Unicode Code Points</span>
As part of the review of Unicode 7.0 for IDNA, a question was raised
about a newly added code point that led to a re-analysis of the
normalization rules used by IDNA and inherited by this document
(<a href="#section-5.2.4">Section 5.2.4</a>). Some of the general issues are described in
[<a href="#ref-IAB-Statement">IAB-Statement</a>] and pursued in more detail in [<a href="#ref-IDNA-Unicode">IDNA-Unicode</a>].
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 34]</span><span id="page-35" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
At the time of writing, these issues have yet to be settled.
However, implementers need to be aware that this specification is
likely to be updated in the future to address these issues. The
potential changes include the following:
o The range of characters in the LetterDigits category
(Sections <a href="#section-4.2.1">4.2.1</a> and <a href="#section-9.1">9.1</a>) might be narrowed.
o Some characters with special properties that are now allowed might
be excluded.
o More "Additional Mapping Rules" (<a href="#section-5.2.2">Section 5.2.2</a>) might be defined.
o Alternative normalization methods might be added.
Nevertheless, implementations and deployments that are sensitive to
the advice given in this specification are unlikely to encounter
significant problems as a consequence of these issues or potential
changes -- specifically, the advice to use the more restrictive
IdentifierClass whenever possible or, if using the FreeformClass, to
allow only a restricted set of characters, particularly avoiding
characters whose implications they do not actually understand.
<span class="h2"><a class="selflink" id="section-14" href="#section-14">14</a>. References</span>
<span class="h3"><a class="selflink" id="section-14.1" href="#section-14.1">14.1</a>. Normative References</span>
[<a id="ref-RFC20">RFC20</a>] Cerf, V., "ASCII format for network interchange", STD 80,
<a href="./rfc20">RFC 20</a>, DOI 10.17487/RFC0020, October 1969,
<<a href="https://www.rfc-editor.org/info/rfc20">http://www.rfc-editor.org/info/rfc20</a>>.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="https://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC5198">RFC5198</a>] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", <a href="./rfc5198">RFC 5198</a>, DOI 10.17487/RFC5198, March 2008,
<<a href="https://www.rfc-editor.org/info/rfc5198">http://www.rfc-editor.org/info/rfc5198</a>>.
[<a id="ref-RFC6365">RFC6365</a>] Hoffman, P. and J. Klensin, "Terminology Used in
Internationalization in the IETF", <a href="https://www.rfc-editor.org/bcp/bcp166">BCP 166</a>, <a href="./rfc6365">RFC 6365</a>,
DOI 10.17487/RFC6365, September 2011,
<<a href="https://www.rfc-editor.org/info/rfc6365">http://www.rfc-editor.org/info/rfc6365</a>>.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 35]</span><span id="page-36" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
[<a id="ref-Unicode">Unicode</a>] The Unicode Consortium, "The Unicode Standard",
<<a href="http://www.unicode.org/versions/latest/">http://www.unicode.org/versions/latest/</a>>.
[<a id="ref-Unicode7.0">Unicode7.0</a>]
The Unicode Consortium, "The Unicode Standard, Version
7.0.0", (Mountain View, CA: The Unicode Consortium, 2014
ISBN 978-1-936213-09-2),
<<a href="http://www.unicode.org/versions/Unicode7.0.0/">http://www.unicode.org/versions/Unicode7.0.0/</a>>.
<span class="h3"><a class="selflink" id="section-14.2" href="#section-14.2">14.2</a>. Informative References</span>
[<a id="ref-DerivedCoreProperties">DerivedCoreProperties</a>]
The Unicode Consortium, "DerivedCoreProperties-7.0.0.txt",
Unicode Character Database, February 2014,
<<a href="http://www.unicode.org/Public/UCD/latest/ucd/DerivedCoreProperties.txt">http://www.unicode.org/Public/UCD/latest/ucd/</a>
<a href="http://www.unicode.org/Public/UCD/latest/ucd/DerivedCoreProperties.txt">DerivedCoreProperties.txt</a>>.
[<a id="ref-IAB-Statement">IAB-Statement</a>]
Internet Architecture Board, "IAB Statement on Identifiers
and Unicode 7.0.0", February 2015, <<a href="https://www.iab.org/documents/correspondence-reports-documents/2015-2/iab-statement-on-identifiers-and-unicode-7-0-0/">https://www.iab.org/</a>
<a href="https://www.iab.org/documents/correspondence-reports-documents/2015-2/iab-statement-on-identifiers-and-unicode-7-0-0/">documents/correspondence-reports-documents/</a>
<a href="https://www.iab.org/documents/correspondence-reports-documents/2015-2/iab-statement-on-identifiers-and-unicode-7-0-0/">2015-2/iab-statement-on-identifiers-and-unicode-7-0-0/</a>>.
[<a id="ref-IDNA-Unicode">IDNA-Unicode</a>]
Klensin, J. and P. Faltstrom, "IDNA Update for Unicode
7.0.0", Work in Progress,
<a href="./draft-klensin-idna-5892upd-unicode70-04">draft-klensin-idna-5892upd-unicode70-04</a>, March 2015.
[<a id="ref-PRECIS-Mappings">PRECIS-Mappings</a>]
Yoneya, Y. and T. Nemoto, "Mapping characters for PRECIS
classes", Work in Progress, <a href="./draft-ietf-precis-mappings-10">draft-ietf-precis-mappings-10</a>,
May 2015.
[<a id="ref-PRECIS-Nickname">PRECIS-Nickname</a>]
Saint-Andre, P., "Preparation, Enforcement, and Comparison
of Internationalized Strings Representing Nicknames", Work
in Progress, <a href="./draft-ietf-precis-nickname-17">draft-ietf-precis-nickname-17</a>, April 2015.
[<a id="ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>]
Saint-Andre, P. and A. Melnikov, "Preparation,
Enforcement, and Comparison of Internationalized Strings
Representing Usernames and Passwords", Work in Progress,
<a href="./draft-ietf-precis-saslprepbis-17">draft-ietf-precis-saslprepbis-17</a>, May 2015.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 36]</span><span id="page-37" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
[<a id="ref-PropertyAliases">PropertyAliases</a>]
The Unicode Consortium, "PropertyAliases-7.0.0.txt",
Unicode Character Database, November 2013,
<<a href="http://www.unicode.org/Public/UCD/latest/ucd/PropertyAliases.txt">http://www.unicode.org/Public/UCD/latest/ucd/</a>
<a href="http://www.unicode.org/Public/UCD/latest/ucd/PropertyAliases.txt">PropertyAliases.txt</a>>.
[<a id="ref-RFC2865">RFC2865</a>] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
<a href="./rfc2865">RFC 2865</a>, DOI 10.17487/RFC2865, June 2000,
<<a href="https://www.rfc-editor.org/info/rfc2865">http://www.rfc-editor.org/info/rfc2865</a>>.
[<a id="ref-RFC3454">RFC3454</a>] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")", <a href="./rfc3454">RFC 3454</a>,
DOI 10.17487/RFC3454, December 2002,
<<a href="https://www.rfc-editor.org/info/rfc3454">http://www.rfc-editor.org/info/rfc3454</a>>.
[<a id="ref-RFC3490">RFC3490</a>] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
<a href="./rfc3490">RFC 3490</a>, DOI 10.17487/RFC3490, March 2003,
<<a href="https://www.rfc-editor.org/info/rfc3490">http://www.rfc-editor.org/info/rfc3490</a>>.
[<a id="ref-RFC3491">RFC3491</a>] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
Profile for Internationalized Domain Names (IDN)",
<a href="./rfc3491">RFC 3491</a>, DOI 10.17487/RFC3491, March 2003,
<<a href="https://www.rfc-editor.org/info/rfc3491">http://www.rfc-editor.org/info/rfc3491</a>>.
[<a id="ref-RFC3629">RFC3629</a>] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, <a href="./rfc3629">RFC 3629</a>, DOI 10.17487/RFC3629, November
2003, <<a href="https://www.rfc-editor.org/info/rfc3629">http://www.rfc-editor.org/info/rfc3629</a>>.
[<a id="ref-RFC4422">RFC4422</a>] Melnikov, A., Ed., and K. Zeilenga, Ed., "Simple
Authentication and Security Layer (SASL)", <a href="./rfc4422">RFC 4422</a>,
DOI 10.17487/RFC4422, June 2006,
<<a href="https://www.rfc-editor.org/info/rfc4422">http://www.rfc-editor.org/info/rfc4422</a>>.
[<a id="ref-RFC4510">RFC4510</a>] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", <a href="./rfc4510">RFC 4510</a>,
DOI 10.17487/RFC4510, June 2006,
<<a href="https://www.rfc-editor.org/info/rfc4510">http://www.rfc-editor.org/info/rfc4510</a>>.
[<a id="ref-RFC4690">RFC4690</a>] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and
Recommendations for Internationalized Domain Names
(IDNs)", <a href="./rfc4690">RFC 4690</a>, DOI 10.17487/RFC4690, September 2006,
<<a href="https://www.rfc-editor.org/info/rfc4690">http://www.rfc-editor.org/info/rfc4690</a>>.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 37]</span><span id="page-38" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
[<a id="ref-RFC5226">RFC5226</a>] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", <a href="https://www.rfc-editor.org/bcp/bcp26">BCP 26</a>, <a href="./rfc5226">RFC 5226</a>,
DOI 10.17487/RFC5226, May 2008,
<<a href="https://www.rfc-editor.org/info/rfc5226">http://www.rfc-editor.org/info/rfc5226</a>>.
[<a id="ref-RFC5234">RFC5234</a>] Crocker, D., Ed., and P. Overell, "Augmented BNF for
Syntax Specifications: ABNF", STD 68, <a href="./rfc5234">RFC 5234</a>,
DOI 10.17487/RFC5234, January 2008,
<<a href="https://www.rfc-editor.org/info/rfc5234">http://www.rfc-editor.org/info/rfc5234</a>>.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>,
DOI 10.17487/RFC5246, August 2008,
<<a href="https://www.rfc-editor.org/info/rfc5246">http://www.rfc-editor.org/info/rfc5246</a>>.
[<a id="ref-RFC5890">RFC5890</a>] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
<a href="./rfc5890">RFC 5890</a>, DOI 10.17487/RFC5890, August 2010,
<<a href="https://www.rfc-editor.org/info/rfc5890">http://www.rfc-editor.org/info/rfc5890</a>>.
[<a id="ref-RFC5891">RFC5891</a>] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", <a href="./rfc5891">RFC 5891</a>,
DOI 10.17487/RFC5891, August 2010,
<<a href="https://www.rfc-editor.org/info/rfc5891">http://www.rfc-editor.org/info/rfc5891</a>>.
[<a id="ref-RFC5892">RFC5892</a>] Faltstrom, P., Ed., "The Unicode Code Points and
Internationalized Domain Names for Applications (IDNA)",
<a href="./rfc5892">RFC 5892</a>, DOI 10.17487/RFC5892, August 2010,
<<a href="https://www.rfc-editor.org/info/rfc5892">http://www.rfc-editor.org/info/rfc5892</a>>.
[<a id="ref-RFC5893">RFC5893</a>] Alvestrand, H., Ed., and C. Karp, "Right-to-Left Scripts
for Internationalized Domain Names for Applications
(IDNA)", <a href="./rfc5893">RFC 5893</a>, DOI 10.17487/RFC5893, August 2010,
<<a href="https://www.rfc-editor.org/info/rfc5893">http://www.rfc-editor.org/info/rfc5893</a>>.
[<a id="ref-RFC5894">RFC5894</a>] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Background, Explanation, and
Rationale", <a href="./rfc5894">RFC 5894</a>, DOI 10.17487/RFC5894, August 2010,
<<a href="https://www.rfc-editor.org/info/rfc5894">http://www.rfc-editor.org/info/rfc5894</a>>.
[<a id="ref-RFC5895">RFC5895</a>] Resnick, P. and P. Hoffman, "Mapping Characters for
Internationalized Domain Names in Applications (IDNA)
2008", <a href="./rfc5895">RFC 5895</a>, DOI 10.17487/RFC5895, September 2010,
<<a href="https://www.rfc-editor.org/info/rfc5895">http://www.rfc-editor.org/info/rfc5895</a>>.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 38]</span><span id="page-39" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
[<a id="ref-RFC6452">RFC6452</a>] Faltstrom, P., Ed., and P. Hoffman, Ed., "The Unicode Code
Points and Internationalized Domain Names for Applications
(IDNA) - Unicode 6.0", <a href="./rfc6452">RFC 6452</a>, DOI 10.17487/RFC6452,
November 2011, <<a href="https://www.rfc-editor.org/info/rfc6452">http://www.rfc-editor.org/info/rfc6452</a>>.
[<a id="ref-RFC6885">RFC6885</a>] Blanchet, M. and A. Sullivan, "Stringprep Revision and
Problem Statement for the Preparation and Comparison of
Internationalized Strings (PRECIS)", <a href="./rfc6885">RFC 6885</a>,
DOI 10.17487/RFC6885, March 2013,
<<a href="https://www.rfc-editor.org/info/rfc6885">http://www.rfc-editor.org/info/rfc6885</a>>.
[<a id="ref-RFC6943">RFC6943</a>] Thaler, D., Ed., "Issues in Identifier Comparison for
Security Purposes", <a href="./rfc6943">RFC 6943</a>, DOI 10.17487/RFC6943, May
2013, <<a href="https://www.rfc-editor.org/info/rfc6943">http://www.rfc-editor.org/info/rfc6943</a>>.
[<a id="ref-UAX11">UAX11</a>] Unicode Standard Annex #11, "East Asian Width", edited by
Ken Lunde. An integral part of The Unicode Standard,
<<a href="http://unicode.org/reports/tr11/">http://unicode.org/reports/tr11/</a>>.
[<a id="ref-UAX15">UAX15</a>] Unicode Standard Annex #15, "Unicode Normalization Forms",
edited by Mark Davis and Ken Whistler. An integral part of
The Unicode Standard, <<a href="http://unicode.org/reports/tr15/">http://unicode.org/reports/tr15/</a>>.
[<a id="ref-UAX9">UAX9</a>] Unicode Standard Annex #9, "Unicode Bidirectional
Algorithm", edited by Mark Davis, Aharon Lanin, and Andrew
Glass. An integral part of The Unicode Standard,
<<a href="http://unicode.org/reports/tr9/">http://unicode.org/reports/tr9/</a>>.
[<a id="ref-UTR36">UTR36</a>] Unicode Technical Report #36, "Unicode Security
Considerations", by Mark Davis and Michel Suignard,
<<a href="http://unicode.org/reports/tr36/">http://unicode.org/reports/tr36/</a>>.
[<a id="ref-UTS39">UTS39</a>] Unicode Technical Standard #39, "Unicode Security
Mechanisms", edited by Mark Davis and Michel Suignard,
<<a href="http://unicode.org/reports/tr39/">http://unicode.org/reports/tr39/</a>>.
[<a id="ref-XMPP-Addr-Format">XMPP-Addr-Format</a>]
Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Address Format", Work in Progress,
<a href="./draft-ietf-xmpp-6122bis-22">draft-ietf-xmpp-6122bis-22</a>, May 2015.
<span class="grey">Saint-Andre & Blanchet Standards Track [Page 39]</span><span id="page-40" ></span>
<span class="grey"><a href="./rfc7564">RFC 7564</a> PRECIS Framework May 2015</span>
Acknowledgements
The authors would like to acknowledge the comments and contributions
of the following individuals during working group discussion: David
Black, Edward Burns, Dan Chiba, Mark Davis, Alan DeKok, Martin
Duerst, Patrik Faltstrom, Ted Hardie, Joe Hildebrand, Bjoern
Hoehrmann, Paul Hoffman, Jeffrey Hutzelman, Simon Josefsson, John
Klensin, Alexey Melnikov, Takahiro Nemoto, Yoav Nir, Mike Parker,
Pete Resnick, Andrew Sullivan, Dave Thaler, Yoshiro Yoneya, and
Florian Zeitz.
Special thanks are due to John Klensin and Patrik Faltstrom for their
challenging feedback and detailed reviews.
Charlie Kaufman, Tom Taylor, and Tim Wicinski reviewed the document
on behalf of the Security Directorate, the General Area Review Team,
and the Operations and Management Directorate, respectively.
During IESG review, Alissa Cooper, Stephen Farrell, and Barry Leiba
provided comments that led to further improvements.
Some algorithms and textual descriptions have been borrowed from
[<a href="./rfc5892" title=""The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)"">RFC5892</a>]. Some text regarding security has been borrowed from
[<a href="./rfc5890" title=""Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework"">RFC5890</a>], [<a href="#ref-PRECIS-Users-Pwds">PRECIS-Users-Pwds</a>], and [<a href="#ref-XMPP-Addr-Format">XMPP-Addr-Format</a>].
Peter Saint-Andre wishes to acknowledge Cisco Systems, Inc., for
employing him during his work on earlier draft versions of this
document.
Authors' Addresses
Peter Saint-Andre
&yet
EMail: [email protected]
URI: <a href="https://andyet.com/">https://andyet.com/</a>
Marc Blanchet
Viagenie
246 Aberdeen
Quebec, QC G1R 2E1
Canada
EMail: [email protected]
URI: <a href="http://www.viagenie.ca/">http://www.viagenie.ca/</a>
Saint-Andre & Blanchet Standards Track [Page 40]
Annotations
Select text to annotate