RFC 7613: Internationalized Usernames and Passwords


A few months ago I posted about the internationalization odyssey that was the Framework for Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols, a.k.a. RFC 7564. This work has significant implications for security, as exemplified by the PRECIS profiles for usernames and passwords, just published as RFC 7613. The old approach to internationalization of usernames and passwords (RFC 4013) was locked into Unicode version 3.2 (it's now up to version 7, with version 8 coming soon) and also used an identical algorithm for both usernames and passwords, even though the security characteristics of these two constructs are quite different (for passwords we want to maximize entropy by allowing just about every possible Unicode character, whereas for usernames we want a more controlled subset of Unicode characters mostly limited to letters and numbers). With RFC 7613, Alexey Melnikov and I took a more modern and careful approach: among other things it's version-agile with respect to Unicode and it defines separate profiles - actually one for passwords (called "OpaqueString") and two for usernames, depending on whether uppercase characters are preserved or mapped to lowercase. It will take awhile for this new approach to trickle into application protocols (XMPP identifiers and chatroom nicknames are the first two) and then into running code, but eventually this new approach will provide a stronger and more sustainable foundation for handling internationalized usernames and passwords over the Internet.

Peter Saint-Andre > Journal