Network Working Group P. Saint-Andre Internet-Draft Cisco Systems, Inc. Intended status: Informational May 8, 2013 Expires: November 9, 2013 Username Interoperability draft-saintandre-username-interop-00 Abstract Various Internet protocols have defined constructs for usernames. This document describes a subset of characters to allow in usernames for maximal interoperability across Internet protocols. The subset might prove useful in cases where a provider offers multiple services using the same underlying identifier. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 9, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Saint-Andre Expires November 9, 2013 [Page 1] Internet-Draft Username Interoperability May 2013 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Subset . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 3 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 3 5. Informative References . . . . . . . . . . . . . . . . . . . . 3 Appendix A. Analysis . . . . . . . . . . . . . . . . . . . . . . . 5 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 Saint-Andre Expires November 9, 2013 [Page 2] Internet-Draft Username Interoperability May 2013 1. Introduction Various Internet protocols have defined constructs for usernames. This document describes a subset of characters to allow in usernames for maximal interoperability across Internet protocols. The subset might prove useful in cases where a provider offers multiple services using the same underlying identifier. 2. Subset The following definition, in Augmented Backus-Naur Form (ABNF) [RFC5234], describes an interoperable subset of characters for localparts / usernames: localpart = 1*(interopchar) interopchar = ALPHA / DIGIT / "!" / "$" / "*" / "+" / "-" / "=" / "_" / "`" / "|" / "~" The reasoning behind this subset is provided in Appendix A. An internationalized version would add the 'ucschar' rule from [RFC3987]. However, note that allowing characters outside the ASCII range [RFC20] can introduce numerous complexities; such issues are discussed in [I-D.ietf-precis-framework] among other specifications. 3. Security Considerations Deploying usernames that are interoperable across multiple protocols could potentially give malicious entities multiple ways to attack an account or user. 4. IANA Considerations This document has no actions for the IANA. 5. Informative References [I-D.ietf-appsawg-acct-uri] Saint-Andre, P., "The 'acct' URI Scheme", draft-ietf-appsawg-acct-uri-04 (work in progress), May 2013. [I-D.ietf-precis-framework] Saint-Andre, P. and M. Blanchet, "Precis Framework: Saint-Andre Expires November 9, 2013 [Page 3] Internet-Draft Username Interoperability May 2013 Handling Internationalized Strings in Protocols", draft-ietf-precis-framework-06 (work in progress), September 2012. [RFC20] Cerf, V., "ASCII format for network interchange", RFC 20, October 1969. [RFC821] Postel, J., "Simple Mail Transfer Protocol", STD 10, RFC 821, August 1982. [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, April 2001. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC3856] Rosenberg, J., "A Presence Event Package for the Session Initiation Protocol (SIP)", RFC 3856, August 2004. [RFC3860] Peterson, J., "Common Profile for Instant Messaging (CPIM)", RFC 3860, August 2004. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource Identifiers (IRIs)", RFC 3987, January 2005. [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, July 2005. [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network Access Identifier", RFC 4282, December 2005. [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, October 2008. [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence Protocol (XMPP): Core", RFC 6120, March 2011. Saint-Andre Expires November 9, 2013 [Page 4] Internet-Draft Username Interoperability May 2013 Appendix A. Analysis This document takes the following username constructs into consideration: o Email addresses [RFC5322] o Kerberos Principal Names [RFC4120] o Network Address Identifiers [RFC4282] o SIP URIs [RFC3261] o Instant messaging URIs [RFC3860] and presence URIs [RFC3856] o XMPP addresses (a.k.a. Jabber Identifiers) [RFC6120] o Account URIs [I-D.ietf-appsawg-acct-uri] Each of those address formats defines something that can be used as the "local part" of an address. The local part of an email address uses either the "local-part" or the "dot-atom-text" rule in [RFC5322]. Here we make the simplifying assumption that the "dot-atom-text" rule applies: dot-atom-text = 1*atext *("." 1*atext) atext = ALPHA / DIGIT / ; Any character except "!" / "#" / "$" / ; controls, SP, and "%" / "&" / "'" / ; specials. Used for "*" / "+" / "-" / ; atoms. "/" / "=" / "?" / "^" / "_" / "`" / "{" / "|" / "}" / "~" We make the same simplifying assumption for im: and pres: URIs (although their specifications reference [RFC2822]). A Kerberos Principal Name is a sequence of strings of type KerberosString, where each KerberosString is a GeneralString that is constrained to contain only characters in IA5String. PrincipalName ::= SEQUENCE { name-type [0] Int32, name-string [1] SEQUENCE OF KerberosString } KerberosString ::= GeneralString (IA5String) A Network Address Identifier inherits from [RFC821]. Here we care only about the "username" rule: Saint-Andre Expires November 9, 2013 [Page 5] Internet-Draft Username Interoperability May 2013 username = dot-string dot-string = string dot-string =/ dot-string "." string string = char string =/ string char char = c char =/ "\" x c = %x21 ; '!' allowed ; '"' not allowed c =/ %x23 ; '#' allowed c =/ %x24 ; '$' allowed c =/ %x25 ; '%' allowed c =/ %x26 ; '&' allowed c =/ %x27 ; ''' allowed ; '(', ')' not allowed c =/ %x2A ; '*' allowed c =/ %x2B ; '+' allowed ; ',' not allowed c =/ %x2D ; '-' allowed ; '.' not allowed c =/ %x2F ; '/' allowed c =/ %x30-39 ; '0'-'9' allowed ; ';', ':', '<' not allowed c =/ %x3D ; '=' allowed ; '>' not allowed c =/ %x3F ; '?' allowed ; '@' not allowed c =/ %x41-5a ; 'A'-'Z' allowed ; '[', '\', ']' not allowed c =/ %x5E ; '^' allowed c =/ %x5F ; '_' allowed c =/ %x60 ; '`' allowed c =/ %x61-7A ; 'a'-'z' allowed c =/ %x7B ; '{' allowed c =/ %x7C ; '|' allowed c =/ %x7D ; '}' allowed c =/ %x7E ; '~' allowed ; DEL not allowed c =/ %x80-FF ; UTF-8-Octet allowed x = %x00-FF ; all 128 ASCII characters The local part of a sip:/sips: URI inherits from the "userinfo" rule in [RFC3986] with several changes; here we discuss the SIP "user" rule only: Saint-Andre Expires November 9, 2013 [Page 6] Internet-Draft Username Interoperability May 2013 user = 1*( unreserved / escaped / user-unreserved ) user-unreserved = "&" / "=" / "+" / "$" / "," / ";" / "?" / "/" unreserved = alphanum / mark mark = "-" / "_" / "." / "!" / "~" / "*" / "'" / "(" / ")" The local part of an XMPP address allows any ASCII character except space, controls, and the " & ' / : < > @ characters. The 'acct' URI syntax borrows the 'host', 'pct-encoded', 'sub- delims', 'unreserved' rules from [RFC3986]: acctURI = "acct" ":" userpart "@" host userpart = unreserved / sub-delims 0*( unreserved / pct-encoded / sub-delims ) To summarize the foregoing information, the following table lists the allowed and disallowed characters in the local part of identifiers for each protocol (aside from the alphanumeric, space, and control characters), in order by hexadecimal character number (where each "A" row shows the allowed characters and each "D" row shows the disallowed characters). Saint-Andre Expires November 9, 2013 [Page 7] Internet-Draft Username Interoperability May 2013 Table 1: Allowed and Disallowed Characters (Non-Alphanumeric) +---+----------------------------------+ | EMAIL ADDRESSES, IM/PRES URIs | +---+----------------------------------+ | A | ! #$%&' *+ - / = ? ^_`{|}~ | | D | " () , . :;< > @[\] | +---+----------------------------------+ | KERBEROS PRINCIPAL NAMES | +---+----------------------------------+ | A | !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ | | D | | +---+----------------------------------+ | NETWORK ADDRESS IDENTIFIERS | +---+----------------------------------+ | A | ! #$%&' *+ - / = ? ^_`{|}~ | | D | " () , . :;< > @[\] | +---+----------------------------------+ | SIP/SIPS URIs | +---+----------------------------------+ | A | ! $ &'()*+,-./ ; = ? _ ~ | | D | "# % : < > @[\]^ `{|} | +---+----------------------------------+ | XMPP ADDRESSES | +---+----------------------------------+ | A | ! #$% ()*+,-. ; = ? [\]^_`{|}~ | | D | " &' /: < > @ | +---+----------------------------------+ | ACCT URIs | +---+----------------------------------+ | A | ! $%&'()*+,-. ; = \ ^_`{|}~ | | D | "# /: < >?@[ ] | +---+----------------------------------+ The interoperable subset allows only characters that are allows in all of the foregoing formats, as shown in the following table. Table 2: Subset Characters (Non-Alphanumeric) +---+----------------------------------+ | INTEROPERABLE SUBSET | +---+----------------------------------+ | A | ! $ *+ - = _` | ~ | | D | "# %&'() , ./:;< >?@[\]^ { } | +---+----------------------------------+ Saint-Andre Expires November 9, 2013 [Page 8] Internet-Draft Username Interoperability May 2013 Appendix B. Acknowledgements Thanks to Sean Turner for inspiring the work on this document. Author's Address Peter Saint-Andre Cisco Systems, Inc. 1899 Wynkoop Street, Suite 600 Denver, CO 80202 USA Phone: +1-303-308-3282 Email: psaintan@cisco.com Saint-Andre Expires November 9, 2013 [Page 9]