Network Working Group                                        K. Zeilenga
Request for Comments: 4013                           OpenLDAP Foundation
Category: Standards Track                                  February 2005
        
Network Working Group                                        K. Zeilenga
Request for Comments: 4013                           OpenLDAP Foundation
Category: Standards Track                                  February 2005
        

SASLprep: Stringprep Profile for User Names and Passwords

SASLprep:Stringprep用户名和密码配置文件

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

Abstract

摘要

This document describes how to prepare Unicode strings representing user names and passwords for comparison. The document defines the "SASLprep" profile of the "stringprep" algorithm to be used for both user names and passwords. This profile is intended to be used by Simple Authentication and Security Layer (SASL) mechanisms (such as PLAIN, CRAM-MD5, and DIGEST-MD5), as well as other protocols exchanging simple user names and/or passwords.

本文档介绍如何准备表示用户名和密码的Unicode字符串以进行比较。该文档定义了用于用户名和密码的“stringprep”算法的“SASLprep”配置文件。此配置文件旨在由简单身份验证和安全层(SASL)机制(如PLAIN、CRAM-MD5和DIGEST-MD5)以及交换简单用户名和/或密码的其他协议使用。

1. Introduction
1. 介绍

The use of simple user names and passwords in authentication and authorization is pervasive on the Internet. To increase the likelihood that user name and password input and comparison work in ways that make sense for typical users throughout the world, this document defines rules for preparing internationalized user names and passwords for comparison. For simplicity and implementation ease, a single algorithm is defined for both user names and passwords.

在互联网上,在身份验证和授权中使用简单的用户名和密码是非常普遍的。为了提高用户名和密码输入和比较工作的可能性,使其对世界各地的典型用户都有意义,本文档定义了准备用于比较的国际化用户名和密码的规则。为了简单和易于实现,为用户名和密码定义了一个算法。

The algorithm assumes all strings are comprised of characters from the Unicode [Unicode] character set.

该算法假定所有字符串都由Unicode[Unicode]字符集的字符组成。

This document defines the "SASLprep" profile of the "stringprep" algorithm [StringPrep].

本文档定义了“stringprep”算法[stringprep]的“SASLprep”配置文件。

The profile is designed for use in Simple Authentication and Security Layer ([SASL]) mechanisms, such as [PLAIN], [CRAM-MD5], and [DIGEST-MD5]. It may be applicable where simple user names and

该概要文件设计用于简单身份验证和安全层([SASL])机制,如[PLAIN]、[CRAM-MD5]和[DIGEST-MD5]。它可能适用于简单的用户名和

passwords are used. This profile is not intended for use in preparing identity strings that are not simple user names (e.g., email addresses, domain names, distinguished names), or where identity or password strings that are not character data, or require different handling (e.g., case folding).

使用密码。此配置文件不用于准备非简单用户名的身份字符串(例如,电子邮件地址、域名、可分辨名称),也不用于非字符数据的身份或密码字符串,或需要不同处理(例如,大小写折叠)的情况。

This document does not alter the technical specification of any existing protocols. Any specification that wishes to use the algorithm described in this document needs to explicitly incorporate this document and provide precise details as to where and how this algorithm is used by implementations of that specification.

本文件不改变任何现有协议的技术规范。任何希望使用本文档中描述的算法的规范都需要明确纳入本文档,并提供关于该规范的实现在何处以及如何使用该算法的精确细节。

2. The SASLprep Profile
2. SASLprep配置文件

This section defines the "SASLprep" profile of the "stringprep" algorithm [StringPrep]. This profile is intended for use in preparing strings representing simple user names and passwords.

本节定义了“stringprep”算法[stringprep]的“SASLprep”配置文件。此配置文件用于准备表示简单用户名和密码的字符串。

This profile uses Unicode 3.2 [Unicode].

此配置文件使用Unicode 3.2[Unicode]。

Character names in this document use the notation for code points and names from the Unicode Standard [Unicode]. For example, the letter "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>. In the lists of mappings and the prohibited characters, the "U+" is left off to make the lists easier to read. The comments for character ranges are shown in square brackets (such as "[CONTROL CHARACTERS]") and do not come from the standard.

本文档中的字符名称使用Unicode标准[Unicode]中的代码点和名称表示法。例如,字母“a”可以表示为<U+0061>或<拉丁文小写字母a>。在映射和禁止字符的列表中,省略“U+”以使列表更易于阅读。字符范围的注释显示在方括号中(如“[控制字符]”),并非来自标准。

Note: A glossary of terms used in Unicode can be found in [Glossary]. Information on the Unicode character encoding model can be found in [CharModel].

注:Unicode中使用的术语表可在[glossary]中找到。有关Unicode字符编码模型的信息可在[CharModel]中找到。

2.1. Mapping
2.1. 映射

This profile specifies:

此配置文件指定:

- non-ASCII space characters [StringPrep, C.1.2] that can be mapped to SPACE (U+0020), and

- 可映射到空格(U+0020)的非ASCII空格字符[StringPrep,C.1.2],以及

- the "commonly mapped to nothing" characters [StringPrep, B.1] that can be mapped to nothing.

- 可以映射为空的“通常映射为空”字符[StringPrep,B.1]。

2.2. Normalization
2.2. 规范化

This profile specifies using Unicode normalization form KC, as described in Section 4 of [StringPrep].

如[StringPrep]第4节所述,此配置文件使用Unicode规范化形式KC进行指定。

2.3. Prohibited Output
2.3. 禁止输出

This profile specifies the following characters as prohibited input:

此配置文件将以下字符指定为禁止输入:

- Non-ASCII space characters [StringPrep, C.1.2] - ASCII control characters [StringPrep, C.2.1] - Non-ASCII control characters [StringPrep, C.2.2] - Private Use characters [StringPrep, C.3] - Non-character code points [StringPrep, C.4] - Surrogate code points [StringPrep, C.5] - Inappropriate for plain text characters [StringPrep, C.6] - Inappropriate for canonical representation characters [StringPrep, C.7] - Change display properties or deprecated characters [StringPrep, C.8] - Tagging characters [StringPrep, C.9]

- 非ASCII空格字符[StringPrep,C.1.2]-ASCII控制字符[StringPrep,C.2.1]-非ASCII控制字符[StringPrep,C.2.2]-专用字符[StringPrep,C.3]-非字符代码点[StringPrep,C.4]-代理代码点[StringPrep,C.5]-不适用于纯文本字符[StringPrep,C.6]-不适用于规范表示字符[StringPrep,C.7]-更改显示属性或不推荐使用的字符[StringPrep,C.8]-标记字符[StringPrep,C.9]

2.4. Bidirectional Characters
2.4. 双向字符

This profile specifies checking bidirectional strings as described in [StringPrep, Section 6].

此配置文件指定检查双向字符串,如[StringPrep,第6节]中所述。

2.5. Unassigned Code Points
2.5. 未分配代码点

This profile specifies the [StringPrep, A.1] table as its list of unassigned code points.

此配置文件将[StringPrep,A.1]表指定为其未分配代码点列表。

3. Examples
3. 例子

The following table provides examples of how various character data is transformed by the SASLprep string preparation algorithm

下表提供了SASLprep字符串准备算法如何转换各种字符数据的示例

   #  Input            Output     Comments
   -  -----            ------     --------
   1  I<U+00AD>X       IX         SOFT HYPHEN mapped to nothing
   2  user             user       no transformation
   3  USER             USER       case preserved, will not match #2
   4  <U+00AA>         a          output is NFKC, input in ISO 8859-1
   5  <U+2168>         IX         output is NFKC, will match #1
   6  <U+0007>                    Error - prohibited character
   7  <U+0627><U+0031>            Error - bidirectional check
        
   #  Input            Output     Comments
   -  -----            ------     --------
   1  I<U+00AD>X       IX         SOFT HYPHEN mapped to nothing
   2  user             user       no transformation
   3  USER             USER       case preserved, will not match #2
   4  <U+00AA>         a          output is NFKC, input in ISO 8859-1
   5  <U+2168>         IX         output is NFKC, will match #1
   6  <U+0007>                    Error - prohibited character
   7  <U+0627><U+0031>            Error - bidirectional check
        
4. Security Considerations
4. 安全考虑

This profile is intended to prepare simple user name and password strings for comparison or use in cryptographic functions (e.g., message digests). The preparation algorithm was specifically designed such that its output is canonical, and it is well-formed.

此配置文件旨在准备简单的用户名和密码字符串,以便在加密功能(例如,消息摘要)中进行比较或使用。准备算法是专门设计的,其输出是规范的,并且格式良好。

However, due to an anomaly [PR29] in the specification of Unicode normalization, canonical equivalence is not guaranteed for a select few character sequences. These sequences, however, do not appear in well-formed text. This specification was published despite this known technical problem. It is expected that this specification will be revised before further progression on the Standards Track (after [Unicode] and/or [StringPrep] specifications have been updated to address this problem).

然而,由于Unicode规范化规范中存在异常[PR29],无法保证选定的几个字符序列的规范等价性。但是,这些序列不会出现在格式良好的文本中。尽管存在这个已知的技术问题,本规范还是发布了。预计本规范将在标准轨道上进一步发展之前进行修订(在[Unicode]和/或[StringPrep]规范更新以解决此问题之后)。

It is not intended for preparing identity strings that are not simple user names (e.g., distinguished names, domain names), nor is the profile intended for use of simple user names that require different handling (such as case folding). Protocols (or applications of those protocols) that have application-specific identity forms and/or comparison algorithms should use mechanisms specifically designed for these forms and algorithms.

它不用于准备非简单用户名(例如,可分辨名称、域名)的标识字符串,也不用于需要不同处理(例如大小写折叠)的简单用户名。具有特定于应用程序的标识形式和/或比较算法的协议(或这些协议的应用程序)应使用专门为这些形式和算法设计的机制。

Application of string preparation may have an impact upon the feasibility of brute force and dictionary attacks. While the number of possible prepared strings is less than the number of possible Unicode strings, the number of usable names and passwords is greater than as if only ASCII was used. Though SASLprep eliminates some Unicode code point sequences as possible prepared strings, that elimination generally makes the (canonical) output forms practicable and prohibits nonsensical inputs.

字符串准备的应用可能会影响暴力和字典攻击的可行性。虽然可能准备的字符串的数量小于可能的Unicode字符串的数量,但可用名称和密码的数量大于仅使用ASCII的数量。尽管SASLprep消除了一些Unicode码点序列作为可能的准备字符串,但这种消除通常会使(规范的)输出形式切实可行,并禁止无意义的输入。

User names and passwords should be protected from eavesdropping.

应保护用户名和密码不被窃听。

General "stringprep" and Unicode security considerations apply. Both are discussed in [StringPrep].

一般“stringprep”和Unicode安全注意事项适用。在[StringPrep]中讨论了这两个问题。

5. IANA Considerations
5. IANA考虑

This document details the "SASLprep" profile of the [StringPrep] protocol. This profile has been registered in the stringprep profile registry.

本文档详细介绍了[StringPrep]协议的“SASLprep”配置文件。此配置文件已在stringprep配置文件注册表中注册。

Name of this profile: SASLprep RFC in which the profile is defined: RFC 4013 Indicator whether or not this is the newest version of the profile: This is the first version of the SASPprep profile.

此配置文件的名称:定义配置文件的SASLprep RFC:RFC 4013指示符这是否是配置文件的最新版本:这是SASPREP配置文件的第一个版本。

6. Acknowledgement
6. 确认

This document borrows text from "Preparation of Internationalized Strings ('stringprep')" and "Nameprep: A Stringprep Profile for Internationalized Domain Names", both by Paul Hoffman and Marc Blanchet. This document is a product of the IETF SASL WG.

本文档借用了Paul Hoffman和Marc Blanchet的“准备国际化字符串('stringprep')”和“Nameprep:国际化域名的stringprep配置文件”中的文本。本文件是IETF SASL工作组的产品。

7. Normative References
7. 规范性引用文件

[StringPrep] Hoffman, P. and M. Blanchet, "Preparation of Internationalized Strings ("stringprep")", RFC 3454, December 2002.

[StringPrep]Hoffman,P.和M.Blanchet,“国际化弦的准备(“StringPrep”)”,RFC 3454,2002年12月。

[Unicode] The Unicode Consortium, "The Unicode Standard, Version 3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201- 61633-5), as amended by the "Unicode Standard Annex #27: Unicode 3.1" (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/).

[Unicode]Unicode联盟“Unicode标准,版本3.2.0”由“Unicode标准,版本3.0”(雷丁,马萨诸塞州,Addison-Wesley,2000.ISBN 0-201-61633-5)定义,并由“Unicode标准附录27:Unicode 3.1”修订(http://www.unicode.org/reports/tr27/)根据“Unicode标准附录28:Unicode 3.2”(http://www.unicode.org/reports/tr28/).

8. Informative References
8. 资料性引用

[Glossary] The Unicode Consortium, "Unicode Glossary", <http://www.unicode.org/glossary/>.

[词汇表]Unicode联盟,“Unicode词汇表”<http://www.unicode.org/glossary/>.

[CharModel] Whistler, K. and M. Davis, "Unicode Technical Report #17, Character Encoding Model", UTR17, <http://www.unicode.org/unicode/reports/tr17/>, August 2000.

[CharModel]Whistler,K.和M.Davis,“Unicode技术报告#17,字符编码模型”,UTR17<http://www.unicode.org/unicode/reports/tr17/>,2000年8月。

[SASL] Melnikov, A., Ed., "Simple Authentication and Security Layer (SASL)", Work in Progress.

[SASL]Melnikov,A.,Ed.,“简单身份验证和安全层(SASL)”,正在进行中。

[CRAM-MD5] Nerenberg, L., "The CRAM-MD5 SASL Mechanism", Work in Progress.

[CRAM-MD5]Nerenberg,L.,“CRAM-MD5 SASL机制”,正在进行中。

[DIGEST-MD5] Leach, P., Newman, C., and A. Melnikov, "Using Digest Authentication as a SASL Mechanism", Work in Progress.

[DIGEST-MD5]Leach,P.,Newman,C.,和A.Melnikov,“使用摘要认证作为SASL机制”,工作正在进行中。

[PLAIN] Zeilenga, K., Ed., "The Plain SASL Mechanism", Work in Progress.

[平原]Zeilenga,K.,Ed.,“平原SASL机制”,正在进行的工作。

[PR29] "Public Review Issue #29: Normalization Issue", <http://www.unicode.org/review/pr-29.html>, February 2004.

[PR29]“公共审查问题#29:规范化问题”<http://www.unicode.org/review/pr-29.html>,2004年2月。

Author's Address

作者地址

Kurt D. Zeilenga OpenLDAP Foundation

库尔特D.Zeeliga OpenLDAP基金会

   EMail: Kurt@OpenLDAP.org
        
   EMail: Kurt@OpenLDAP.org
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关IETF文件中权利的IETF程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。