tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 7564

 Errata 
Proposed STD
Pages: 40
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: PRECIS

PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols

Part 1 of 3, p. 1 to 17
None       Next RFC Part

Obsoletes:    3454


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                    P. Saint-Andre
Request for Comments: 7564                                          &yet
Obsoletes: 3454                                              M. Blanchet
Category: Standards Track                                       Viagenie
ISSN: 2070-1721                                                 May 2015


     PRECIS Framework: Preparation, Enforcement, and Comparison of
           Internationalized Strings in Application Protocols

Abstract

   Application protocols using Unicode characters in protocol strings
   need to properly handle such strings in order to enforce
   internationalization rules for strings placed in various protocol
   slots (such as addresses and identifiers) and to perform valid
   comparison operations (e.g., for purposes of authentication or
   authorization).  This document defines a framework enabling
   application protocols to perform the preparation, enforcement, and
   comparison of internationalized strings ("PRECIS") in a way that
   depends on the properties of Unicode characters and thus is agile
   with respect to versions of Unicode.  As a result, this framework
   provides a more sustainable approach to the handling of
   internationalized strings than the previous framework, known as
   Stringprep (RFC 3454).  This document obsoletes RFC 3454.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7564.

Page 2 
Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................4
   2. Terminology .....................................................7
   3. Preparation, Enforcement, and Comparison ........................7
   4. String Classes ..................................................8
      4.1. Overview ...................................................8
      4.2. IdentifierClass ............................................9
           4.2.1. Valid ...............................................9
           4.2.2. Contextual Rule Required ...........................10
           4.2.3. Disallowed .........................................10
           4.2.4. Unassigned .........................................11
           4.2.5. Examples ...........................................11
      4.3. FreeformClass .............................................11
           4.3.1. Valid ..............................................11
           4.3.2. Contextual Rule Required ...........................12
           4.3.3. Disallowed .........................................12
           4.3.4. Unassigned .........................................12
           4.3.5. Examples ...........................................12
   5. Profiles .......................................................13
      5.1. Profiles Must Not Be Multiplied beyond Necessity ..........13
      5.2. Rules .....................................................14
           5.2.1. Width Mapping Rule .................................14
           5.2.2. Additional Mapping Rule ............................14
           5.2.3. Case Mapping Rule ..................................14
           5.2.4. Normalization Rule .................................15
           5.2.5. Directionality Rule ................................15
      5.3. A Note about Spaces .......................................16
   6. Applications ...................................................17
      6.1. How to Use PRECIS in Applications .........................17
      6.2. Further Excluded Characters ...............................18
      6.3. Building Application-Layer Constructs .....................18
   7. Order of Operations ............................................19

Top      ToC       Page 3 
   8. Code Point Properties ..........................................20
   9. Category Definitions Used to Calculate Derived Property ........22
      9.1. LetterDigits (A) ..........................................23
      9.2. Unstable (B) ..............................................23
      9.3. IgnorableProperties (C) ...................................23
      9.4. IgnorableBlocks (D) .......................................23
      9.5. LDH (E) ...................................................23
      9.6. Exceptions (F) ............................................23
      9.7. BackwardCompatible (G) ....................................23
      9.8. JoinControl (H) ...........................................24
      9.9. OldHangulJamo (I) .........................................24
      9.10. Unassigned (J) ...........................................24
      9.11. ASCII7 (K) ...............................................24
      9.12. Controls (L) .............................................24
      9.13. PrecisIgnorableProperties (M) ............................24
      9.14. Spaces (N) ...............................................25
      9.15. Symbols (O) ..............................................25
      9.16. Punctuation (P) ..........................................25
      9.17. HasCompat (Q) ............................................25
      9.18. OtherLetterDigits (R) ....................................25
   10. Guidelines for Designated Experts .............................26
   11. IANA Considerations ...........................................27
      11.1. PRECIS Derived Property Value Registry ...................27
      11.2. PRECIS Base Classes Registry .............................27
      11.3. PRECIS Profiles Registry .................................28
   12. Security Considerations .......................................29
      12.1. General Issues ...........................................29
      12.2. Use of the IdentifierClass ...............................30
      12.3. Use of the FreeformClass .................................30
      12.4. Local Character Set Issues ...............................31
      12.5. Visually Similar Characters ..............................31
      12.6. Security of Passwords ....................................33
   13. Interoperability Considerations ...............................34
      13.1. Encoding .................................................34
      13.2. Character Sets ...........................................34
      13.3. Unicode Versions .........................................34
      13.4. Potential Changes to Handling of Certain Unicode
            Code Points ..............................................34
   14. References ....................................................35
      14.1. Normative References .....................................35
      14.2. Informative References ...................................36
   Acknowledgements ..................................................40
   Authors' Addresses ................................................40

Top      ToC       Page 4 
1.  Introduction

   Application protocols using Unicode characters [Unicode] in protocol
   strings need to properly handle such strings in order to enforce
   internationalization rules for strings placed in various protocol
   slots (such as addresses and identifiers) and to perform valid
   comparison operations (e.g., for purposes of authentication or
   authorization).  This document defines a framework enabling
   application protocols to perform the preparation, enforcement, and
   comparison of internationalized strings ("PRECIS") in a way that
   depends on the properties of Unicode characters and thus is agile
   with respect to versions of Unicode.

   As described in the PRECIS problem statement [RFC6885], many IETF
   protocols have used the Stringprep framework [RFC3454] as the basis
   for preparing, enforcing, and comparing protocol strings that contain
   Unicode characters, especially characters outside the ASCII range
   [RFC20].  The Stringprep framework was developed during work on the
   original technology for internationalized domain names (IDNs), here
   called "IDNA2003" [RFC3490], and Nameprep [RFC3491] was the
   Stringprep profile for IDNs.  At the time, Stringprep was designed as
   a general framework so that other application protocols could define
   their own Stringprep profiles.  Indeed, a number of application
   protocols defined such profiles.

   After the publication of [RFC3454] in 2002, several significant
   issues arose with the use of Stringprep in the IDN case, as
   documented in the IAB's recommendations regarding IDNs [RFC4690]
   (most significantly, Stringprep was tied to Unicode version 3.2).
   Therefore, the newer IDNA specifications, here called "IDNA2008"
   ([RFC5890], [RFC5891], [RFC5892], [RFC5893], [RFC5894]), no longer
   use Stringprep and Nameprep.  This migration away from Stringprep for
   IDNs prompted other "customers" of Stringprep to consider new
   approaches to the preparation, enforcement, and comparison of
   internationalized strings, as described in [RFC6885].

Top      ToC       Page 5 
   This document defines a framework for a post-Stringprep approach to
   the preparation, enforcement, and comparison of internationalized
   strings in application protocols, based on several principles:

   1.  Define a small set of string classes that specify the Unicode
       characters (i.e., specific "code points") appropriate for common
       application protocol constructs.

   2.  Define each PRECIS string class in terms of Unicode code points
       and their properties so that an algorithm can be used to
       determine whether each code point or character category is
       (a) valid, (b) allowed in certain contexts, (c) disallowed, or
       (d) unassigned.

   3.  Use an "inclusion model" such that a string class consists only
       of code points that are explicitly allowed, with the result that
       any code point not explicitly allowed is forbidden.

   4.  Enable application protocols to define profiles of the PRECIS
       string classes if necessary (addressing matters such as width
       mapping, case mapping, Unicode normalization, and directionality)
       but strongly discourage the multiplication of profiles beyond
       necessity in order to avoid violations of the "Principle of Least
       Astonishment".

   It is expected that this framework will yield the following benefits:

   o  Application protocols will be agile with regard to Unicode
      versions.

   o  Implementers will be able to share code point tables and software
      code across application protocols, most likely by means of
      software libraries.

   o  End users will be able to acquire more accurate expectations about
      the characters that are acceptable in various contexts.  Given
      this more uniform set of string classes, it is also expected that
      copy/paste operations between software implementing different
      application protocols will be more predictable and coherent.

   Whereas the string classes define the "baseline" code points for a
   range of applications, profiling enables application protocols to
   apply the string classes in ways that are appropriate for common
   constructs such as usernames [PRECIS-Users-Pwds], opaque strings such
   as passwords [PRECIS-Users-Pwds], and nicknames [PRECIS-Nickname].
   Profiles are responsible for defining the handling of right-to-left
   characters as well as various mapping operations of the kind also
   discussed for IDNs in [RFC5895], such as case preservation or

Top      ToC       Page 6 
   lowercasing, Unicode normalization, mapping of certain characters to
   other characters or to nothing, and mapping of fullwidth and
   halfwidth characters.

   When an application applies a profile of a PRECIS string class, it
   transforms an input string (which might or might not be conforming)
   into an output string that definitively conforms to the profile.  In
   particular, this document focuses on the resulting ability to achieve
   the following objectives:

   a.  Enforcing all the rules of a profile for a single output string
       (e.g., to determine if a string can be included in a protocol
       slot, communicated to another entity within a protocol, stored in
       a retrieval system, etc.).

   b.  Comparing two output strings to determine if they are equivalent,
       typically through octet-for-octet matching to test for
       "bit-string identity" (e.g., to make an access decision for
       purposes of authentication or authorization as further described
       in [RFC6943]).

   The opportunity to define profiles naturally introduces the
   possibility of a proliferation of profiles, thus potentially
   mitigating the benefits of common code and violating user
   expectations.  See Section 5 for a discussion of this important
   topic.

   In addition, it is extremely important for protocol designers and
   application developers to understand that the transformation of an
   input string to an output string is rarely reversible.  As one
   relatively simple example, case mapping would transform an input
   string of "StPeter" to "stpeter", and information about the
   capitalization of the first and third characters would be lost.
   Similar considerations apply to other forms of mapping and
   normalization.

   Although this framework is similar to IDNA2008 and includes by
   reference some of the character categories defined in [RFC5892], it
   defines additional character categories to meet the needs of common
   application protocols other than DNS.

   The character categories and calculation rules defined under
   Sections 8 and 9 are normative and apply to all Unicode code points.
   The code point table that results from applying the character
   categories and calculation rules to the latest version of Unicode can
   be found in an IANA registry.

Top      ToC       Page 7 
2.  Terminology

   Many important terms used in this document are defined in [RFC5890],
   [RFC6365], [RFC6885], and [Unicode].  The terms "left-to-right" (LTR)
   and "right-to-left" (RTL) are defined in Unicode Standard Annex #9
   [UAX9].

   As of the date of writing, the version of Unicode published by the
   Unicode Consortium is 7.0 [Unicode7.0]; however, PRECIS is not tied
   to a specific version of Unicode.  The latest version of Unicode is
   always available [Unicode].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   [RFC2119].

3.  Preparation, Enforcement, and Comparison

   This document distinguishes between three different actions that an
   entity can take with regard to a string:

   o  Enforcement entails applying all of the rules specified for a
      particular string class or profile thereof to an individual
      string, for the purpose of determining if the string can be used
      in a given protocol slot.

   o  Comparison entails applying all of the rules specified for a
      particular string class or profile thereof to two separate
      strings, for the purpose of determining if the two strings are
      equivalent.

   o  Preparation entails only ensuring that the characters in an
      individual string are allowed by the underlying PRECIS string
      class.

   In most cases, authoritative entities such as servers are responsible
   for enforcement, whereas subsidiary entities such as clients are
   responsible only for preparation.  The rationale for this distinction
   is that clients might not have the facilities (in terms of device
   memory and processing power) to enforce all the rules regarding
   internationalized strings (such as width mapping and Unicode
   normalization), although they can more easily limit the repertoire of
   characters they offer to an end user.  By contrast, it is assumed
   that a server would have more capacity to enforce the rules, and in
   any case acts as an authority regarding allowable strings in protocol
   slots such as addresses and endpoint identifiers.  In addition, a

Top      ToC       Page 8 
   client cannot necessarily be trusted to properly generate such
   strings, especially for security-sensitive contexts such as
   authentication and authorization.

4.  String Classes

4.1.  Overview

   Starting in 2010, various "customers" of Stringprep began to discuss
   the need to define a post-Stringprep approach to the preparation and
   comparison of internationalized strings other than IDNs.  This
   community analyzed the existing Stringprep profiles and also weighed
   the costs and benefits of defining a relatively small set of Unicode
   characters that would minimize the potential for user confusion
   caused by visually similar characters (and thus be relatively "safe")
   vs. defining a much larger set of Unicode characters that would
   maximize the potential for user creativity (and thus be relatively
   "expressive").  As a result, the community concluded that most
   existing uses could be addressed by two string classes:

   IdentifierClass:  a sequence of letters, numbers, and some symbols
      that is used to identify or address a network entity such as a
      user account, a venue (e.g., a chatroom), an information source
      (e.g., a data feed), or a collection of data (e.g., a file); the
      intent is that this class will minimize user confusion in a wide
      variety of application protocols, with the result that safety has
      been prioritized over expressiveness for this class.

   FreeformClass:  a sequence of letters, numbers, symbols, spaces, and
      other characters that is used for free-form strings, including
      passwords as well as display elements such as human-friendly
      nicknames for devices or for participants in a chatroom; the
      intent is that this class will allow nearly any Unicode character,
      with the result that expressiveness has been prioritized over
      safety for this class.  Note well that protocol designers,
      application developers, service providers, and end users might not
      understand or be able to enter all of the characters that can be
      included in the FreeformClass -- see Section 12.3 for details.

   Future specifications might define additional PRECIS string classes,
   such as a class that falls somewhere between the IdentifierClass and
   the FreeformClass.  At this time, it is not clear how useful such a
   class would be.  In any case, because application developers are able
   to define profiles of PRECIS string classes, a protocol needing a
   construct between the IdentifierClass and the FreeformClass could
   define a restricted profile of the FreeformClass if needed.

Top      ToC       Page 9 
   The following subsections discuss the IdentifierClass and
   FreeformClass in more detail, with reference to the dimensions
   described in Section 5 of [RFC6885].  Each string class is defined by
   the following behavioral rules:

   Valid:  Defines which code points are treated as valid for the
      string.

   Contextual Rule Required:  Defines which code points are treated as
      allowed only if the requirements of a contextual rule are met
      (i.e., either CONTEXTJ or CONTEXTO).

   Disallowed:  Defines which code points need to be excluded from the
      string.

   Unassigned:  Defines application behavior in the presence of code
      points that are unknown (i.e., not yet designated) for the version
      of Unicode used by the application.

   This document defines the valid, contextual rule required,
   disallowed, and unassigned rules for the IdentifierClass and
   FreeformClass.  As described under Section 5, profiles of these
   string classes are responsible for defining the width mapping,
   additional mappings, case mapping, normalization, and directionality
   rules.

4.2.  IdentifierClass

   Most application technologies need strings that can be used to refer
   to, include, or communicate protocol strings like usernames,
   filenames, data feed identifiers, and chatroom names.  We group such
   strings into a class called "IdentifierClass" having the following
   features.

4.2.1.  Valid

   o  Code points traditionally used as letters and numbers in writing
      systems, i.e., the LetterDigits ("A") category first defined in
      [RFC5892] and listed here under Section 9.1.

   o  Code points in the range U+0021 through U+007E, i.e., the
      (printable) ASCII7 ("K") category defined under Section 9.11.
      These code points are "grandfathered" into PRECIS and thus are
      valid even if they would otherwise be disallowed according to the
      property-based rules specified in the next section.

Top      ToC       Page 10 
      Note: Although the PRECIS IdentifierClass reuses the LetterDigits
      category from IDNA2008, the range of characters allowed in the
      IdentifierClass is wider than the range of characters allowed in
      IDNA2008.  The main reason is that IDNA2008 applies the Unstable
      category before the LetterDigits category, thus disallowing
      uppercase characters, whereas the IdentifierClass does not apply
      the Unstable category.

4.2.2.  Contextual Rule Required

   o  A number of characters from the Exceptions ("F") category defined
      under Section 9.6 (see Section 9.6 for a full list).

   o  Joining characters, i.e., the JoinControl ("H") category defined
      under Section 9.8.

4.2.3.  Disallowed

   o  Old Hangul Jamo characters, i.e., the OldHangulJamo ("I") category
      defined under Section 9.9.

   o  Control characters, i.e., the Controls ("L") category defined
      under Section 9.12.

   o  Ignorable characters, i.e., the PrecisIgnorableProperties ("M")
      category defined under Section 9.13.

   o  Space characters, i.e., the Spaces ("N") category defined under
      Section 9.14.

   o  Symbol characters, i.e., the Symbols ("O") category defined under
      Section 9.15.

   o  Punctuation characters, i.e., the Punctuation ("P") category
      defined under Section 9.16.

   o  Any character that has a compatibility equivalent, i.e., the
      HasCompat ("Q") category defined under Section 9.17.  These code
      points are disallowed even if they would otherwise be valid
      according to the property-based rules specified in the previous
      section.

   o  Letters and digits other than the "traditional" letters and digits
      allowed in IDNs, i.e., the OtherLetterDigits ("R") category
      defined under Section 9.18.

Top      ToC       Page 11 
4.2.4.  Unassigned

   Any code points that are not yet designated in the Unicode character
   set are considered unassigned for purposes of the IdentifierClass,
   and such code points are to be treated as disallowed.  See
   Section 9.10.

4.2.5.  Examples

   As described in the Introduction to this document, the string classes
   do not handle all issues related to string preparation and comparison
   (such as case mapping); instead, such issues are handled at the level
   of profiles.  Examples for profiles of the IdentifierClass can be
   found in [PRECIS-Users-Pwds] (the UsernameCaseMapped and
   UsernameCasePreserved profiles).

4.3.  FreeformClass

   Some application technologies need strings that can be used in a
   free-form way, e.g., as a password in an authentication exchange (see
   [PRECIS-Users-Pwds]) or a nickname in a chatroom (see
   [PRECIS-Nickname]).  We group such things into a class called
   "FreeformClass" having the following features.

      Security Warning: As mentioned, the FreeformClass prioritizes
      expressiveness over safety; Section 12.3 describes some of the
      security hazards involved with using or profiling the
      FreeformClass.

      Security Warning: Consult Section 12.6 for relevant security
      considerations when strings conforming to the FreeformClass, or a
      profile thereof, are used as passwords.

4.3.1.  Valid

   o  Traditional letters and numbers, i.e., the LetterDigits ("A")
      category first defined in [RFC5892] and listed here under
      Section 9.1.

   o  Letters and digits other than the "traditional" letters and digits
      allowed in IDNs, i.e., the OtherLetterDigits ("R") category
      defined under Section 9.18.

   o  Code points in the range U+0021 through U+007E, i.e., the
      (printable) ASCII7 ("K") category defined under Section 9.11.

   o  Any character that has a compatibility equivalent, i.e., the
      HasCompat ("Q") category defined under Section 9.17.

Top      ToC       Page 12 
   o  Space characters, i.e., the Spaces ("N") category defined under
      Section 9.14.

   o  Symbol characters, i.e., the Symbols ("O") category defined under
      Section 9.15.

   o  Punctuation characters, i.e., the Punctuation ("P") category
      defined under Section 9.16.

4.3.2.  Contextual Rule Required

   o  A number of characters from the Exceptions ("F") category defined
      under Section 9.6 (see Section 9.6 for a full list).

   o  Joining characters, i.e., the JoinControl ("H") category defined
      under Section 9.8.

4.3.3.  Disallowed

   o  Old Hangul Jamo characters, i.e., the OldHangulJamo ("I") category
      defined under Section 9.9.

   o  Control characters, i.e., the Controls ("L") category defined
      under Section 9.12.

   o  Ignorable characters, i.e., the PrecisIgnorableProperties ("M")
      category defined under Section 9.13.

4.3.4.  Unassigned

   Any code points that are not yet designated in the Unicode character
   set are considered unassigned for purposes of the FreeformClass, and
   such code points are to be treated as disallowed.

4.3.5.  Examples

   As described in the Introduction to this document, the string classes
   do not handle all issues related to string preparation and comparison
   (such as case mapping); instead, such issues are handled at the level
   of profiles.  Examples for profiles of the FreeformClass can be found
   in [PRECIS-Users-Pwds] (the OpaqueString profile) and
   [PRECIS-Nickname] (the Nickname profile).

Top      ToC       Page 13 
5.  Profiles

   This framework document defines the valid, contextual-rule-required,
   disallowed, and unassigned rules for the IdentifierClass and the
   FreeformClass.  A profile of a PRECIS string class MUST define the
   width mapping, additional mappings (if any), case mapping,
   normalization, and directionality rules.  A profile MAY also restrict
   the allowable characters above and beyond the definition of the
   relevant PRECIS string class (but MUST NOT add as valid any code
   points that are disallowed by the relevant PRECIS string class).
   These matters are discussed in the following subsections.

   Profiles of the PRECIS string classes are registered with the IANA as
   described under Section 11.3.  Profile names use the following
   convention: they are of the form "Profilename of BaseClass", where
   the "Profilename" string is a differentiator and "BaseClass" is the
   name of the PRECIS string class being profiled; for example, the
   profile of the FreeformClass used for opaque strings such as
   passwords is the OpaqueString profile [PRECIS-Users-Pwds].

5.1.  Profiles Must Not Be Multiplied beyond Necessity

   The risk of profile proliferation is significant because having too
   many profiles will result in different behavior across various
   applications, thus violating what is known in user interface design
   as the "Principle of Least Astonishment".

   Indeed, we already have too many profiles.  Ideally we would have at
   most two or three profiles.  Unfortunately, numerous application
   protocols exist with their own quirks regarding protocol strings.
   Domain names, email addresses, instant messaging addresses, chatroom
   nicknames, filenames, authentication identifiers, passwords, and
   other strings are already out there in the wild and need to be
   supported in existing application protocols such as DNS, SMTP, the
   Extensible Messaging and Presence Protocol (XMPP), Internet Relay
   Chat (IRC), NFS, the Internet Small Computer System Interface
   (iSCSI), the Extensible Authentication Protocol (EAP), and the Simple
   Authentication and Security Layer (SASL), among others.

   Nevertheless, profiles must not be multiplied beyond necessity.

   To help prevent profile proliferation, this document recommends
   sensible defaults for the various options offered to profile creators
   (such as width mapping and Unicode normalization).  In addition, the
   guidelines for designated experts provided under Section 10 are meant
   to encourage a high level of due diligence regarding new profiles.

Top      ToC       Page 14 
5.2.  Rules

5.2.1.  Width Mapping Rule

   The width mapping rule of a profile specifies whether width mapping
   is performed on the characters of a string, and how the mapping is
   done.  Typically, such mapping consists of mapping fullwidth and
   halfwidth characters, i.e., code points with a Decomposition Type of
   Wide or Narrow, to their decomposition mappings; as an example,
   FULLWIDTH DIGIT ZERO (U+FF10) would be mapped to DIGIT ZERO (U+0030).

   The normalization form specified by a profile (see below) has an
   impact on the need for width mapping.  Because width mapping is
   performed as a part of compatibility decomposition, a profile
   employing either normalization form KD (NFKD) or normalization form
   KC (NFKC) does not need to specify width mapping.  However, if
   Unicode normalization form C (NFC) is used (as is recommended) then
   the profile needs to specify whether to apply width mapping; in this
   case, width mapping is in general RECOMMENDED because allowing
   fullwidth and halfwidth characters to remain unmapped to their
   compatibility variants would violate the "Principle of Least
   Astonishment".  For more information about the concept of width in
   East Asian scripts within Unicode, see Unicode Standard Annex #11
   [UAX11].

5.2.2.  Additional Mapping Rule

   The additional mapping rule of a profile specifies whether additional
   mappings are performed on the characters of a string, such as:

      Mapping of delimiter characters (such as '@', ':', '/', '+',
      and '-')

      Mapping of special characters (e.g., non-ASCII space characters to
      ASCII space or control characters to nothing).

   The PRECIS mappings document [PRECIS-Mappings] describes such
   mappings in more detail.

5.2.3.  Case Mapping Rule

   The case mapping rule of a profile specifies whether case mapping
   (instead of case preservation) is performed on the characters of a
   string, and how the mapping is applied (e.g., mapping uppercase and
   titlecase characters to their lowercase equivalents).

Top      ToC       Page 15 
   If case mapping is desired (instead of case preservation), it is
   RECOMMENDED to use Unicode Default Case Folding as defined in the
   Unicode Standard [Unicode] (at the time of this writing, the
   algorithm is specified in Chapter 3 of [Unicode7.0]).

      Note: Unicode Default Case Folding is not designed to handle
      various localization issues (such as so-called "dotless i" in
      several Turkic languages).  The PRECIS mappings document
      [PRECIS-Mappings] describes these issues in greater detail and
      defines a "local case mapping" method that handles some locale-
      dependent and context-dependent mappings.

   In order to maximize entropy and minimize the potential for false
   positives, it is NOT RECOMMENDED for application protocols to map
   uppercase and titlecase code points to their lowercase equivalents
   when strings conforming to the FreeformClass, or a profile thereof,
   are used in passwords; instead, it is RECOMMENDED to preserve the
   case of all code points contained in such strings and then perform
   case-sensitive comparison.  See also the related discussion in
   Section 12.6 and in [PRECIS-Users-Pwds].

5.2.4.  Normalization Rule

   The normalization rule of a profile specifies which Unicode
   normalization form (D, KD, C, or KC) is to be applied (see Unicode
   Standard Annex #15 [UAX15] for background information).

   In accordance with [RFC5198], normalization form C (NFC) is
   RECOMMENDED.

5.2.5.  Directionality Rule

   The directionality rule of a profile specifies how to treat strings
   containing what are often called "right-to-left" (RTL) characters
   (see Unicode Standard Annex #9 [UAX9]).  RTL characters come from
   scripts that are normally written from right to left and are
   considered by Unicode to, themselves, have right-to-left
   directionality.  Some strings containing RTL characters also contain
   "left-to-right" (LTR) characters, such as numerals, as well as
   characters without directional properties.  Consequently, such
   strings are known as "bidirectional strings".

   Presenting bidirectional strings in different layout systems (e.g., a
   user interface that is configured to handle primarily an RTL script
   vs. an interface that is configured to handle primarily an LTR
   script) can yield display results that, while predictable to those
   who understand the display rules, are counter-intuitive to casual
   users.  In particular, the same bidirectional string (in PRECIS

Top      ToC       Page 16 
   terms) might not be presented in the same way to users of those
   different layout systems, even though the presentation is consistent
   within any particular layout system.  In some applications, these
   presentation differences might be considered problematic and thus the
   application designers might wish to restrict the use of bidirectional
   strings by specifying a directionality rule.  In other applications,
   these presentation differences might not be considered problematic
   (this especially tends to be true of more "free-form" strings) and
   thus no directionality rule is needed.

   The PRECIS framework does not directly address how to deal with
   bidirectional strings across all string classes and profiles, and
   does not define any new directionality rules, since at present there
   is no widely accepted and implemented solution for the safe display
   of arbitrary bidirectional strings beyond the Unicode bidirectional
   algorithm [UAX9].  Although rules for management and display of
   bidirectional strings have been defined for domain name labels and
   similar identifiers through the "Bidi Rule" specified in the IDNA2008
   specification on right-to-left scripts [RFC5893], those rules are
   quite restrictive and are not necessarily applicable to all
   bidirectional strings.

   The authors of a PRECIS profile might believe that they need to
   define a new directionality rule of their own.  Because of the
   complexity of the issues involved, such a belief is almost always
   misguided, even if the authors have done a great deal of careful
   research into the challenges of displaying bidirectional strings.
   This document strongly suggests that profile authors who are thinking
   about defining a new directionality rule think again, and instead
   consider using the "Bidi Rule" [RFC5893] (for profiles based on the
   IdentifierClass) or following the Unicode bidirectional algorithm
   [UAX9] (for profiles based on the FreeformClass or in situations
   where the IdentifierClass is not appropriate).

5.3.  A Note about Spaces

   With regard to the IdentifierClass, the consensus of the PRECIS
   Working Group was that spaces are problematic for many reasons,
   including the following:

   o  Many Unicode characters are confusable with ASCII space.

   o  Even if non-ASCII space characters are mapped to ASCII space
      (U+0020), space characters are often not rendered in user
      interfaces, leading to the possibility that a human user might
      consider a string containing spaces to be equivalent to the same
      string without spaces.

Top      ToC       Page 17 
   o  In some locales, some devices are known to generate a character
      other than ASCII space (such as ZERO WIDTH JOINER, U+200D) when a
      user performs an action like hitting the space bar on a keyboard.

   One consequence of disallowing space characters in the
   IdentifierClass might be to effectively discourage their use within
   identifiers created in newer application protocols; given the
   challenges involved with properly handling space characters
   (especially non-ASCII space characters) in identifiers and other
   protocol strings, the PRECIS Working Group considered this to be a
   feature, not a bug.

   However, the FreeformClass does allow spaces, which enables
   application protocols to define profiles of the FreeformClass that
   are more flexible than any profiles of the IdentifierClass.  In
   addition, as explained in Section 6.3, application protocols can also
   define application-layer constructs containing spaces.



(page 17 continued on part 2)

Next RFC Part