Network Working Group M. Blanchet
Internet-Draft Viagenie
Obsoletes: 3454 (if approved) P. Saint-Andre
Intended status: Standards Track Cisco
Expires: February 20, 2012 August 19, 2011
PRECIS Framework: Handling Internationalized Strings in Protocols
draft-blanchet-precis-framework-03
Abstract
Application protocols that make use of Unicode code points in
protocol strings need to prepare such strings in order to perform
comparison operations (e.g., for purposes of authentication or
authorization). In general, this problem has been labeled the
"preparation and comparison of internationalized strings" or
"PRECIS". This document defines a framework that enables application
protocols to prepare various classes of strings in a way that depends
on the properties of Unicode code points. Because this framework
does not depend on large tables of Unicode code points as in
stringprep (RFC 3454), it is more agile with regard to changes in the
underlying Unicode database and thus provides improved flexibility to
application protocols. A specification that uses this framework
either can directly use the base string classes defined in this
document or can subclass the base string classes as needed. This
framework uses an approach similar to that of the revised
internationalized domain names in applications (IDNA) technology (RFC
5890, RFC 5891, RFC 5892, RFC 5893, RFC 5894) and thus adheres to the
high-level design goals described in RFC 4690, albeit for application
technologies other than the Domain Name System (DNS). This document
obsoletes RFC 3454.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Blanchet & Saint-Andre Expires February 20, 2012 [Page 1]
Internet-Draft PRECIS Framework August 2011
This Internet-Draft will expire on February 20, 2012.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 2]
Internet-Draft PRECIS Framework August 2011
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. String Classes . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. NameClass . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.1. Valid . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.2. Disallowed . . . . . . . . . . . . . . . . . . . . . . 8
3.1.3. Unassigned . . . . . . . . . . . . . . . . . . . . . . 8
3.1.4. Directionality . . . . . . . . . . . . . . . . . . . . 8
3.1.5. Case Mapping . . . . . . . . . . . . . . . . . . . . . 8
3.1.6. Normalization . . . . . . . . . . . . . . . . . . . . 8
3.2. SecretClass . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.1. Valid . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.2. Disallowed . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3. Unassigned . . . . . . . . . . . . . . . . . . . . . . 9
3.2.4. Directionality . . . . . . . . . . . . . . . . . . . . 9
3.2.5. Case Mapping . . . . . . . . . . . . . . . . . . . . . 9
3.2.6. Normalization . . . . . . . . . . . . . . . . . . . . 9
3.3. FreeClass . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3.1. Valid . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3.2. Disallowed . . . . . . . . . . . . . . . . . . . . . . 10
3.3.3. Unassigned . . . . . . . . . . . . . . . . . . . . . . 10
3.3.4. Directionality . . . . . . . . . . . . . . . . . . . . 10
3.3.5. Case Mapping . . . . . . . . . . . . . . . . . . . . . 10
3.3.6. Normalization . . . . . . . . . . . . . . . . . . . . 11
4. Use of PRECIS String Classes . . . . . . . . . . . . . . . . . 11
4.1. Principles . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2. Subclassing . . . . . . . . . . . . . . . . . . . . . . . 11
4.3. Registration . . . . . . . . . . . . . . . . . . . . . . . 11
5. Code Point Properties . . . . . . . . . . . . . . . . . . . . 12
6. Category Definitions Used to Calculate Derived Property
Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.1. LetterDigits (A) . . . . . . . . . . . . . . . . . . . . . 14
6.2. Unstable (B) . . . . . . . . . . . . . . . . . . . . . . . 14
6.3. IgnorableProperties (C) . . . . . . . . . . . . . . . . . 15
6.4. IgnorableBlocks (D) . . . . . . . . . . . . . . . . . . . 15
6.5. LDH (E) . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.6. Exceptions (F) . . . . . . . . . . . . . . . . . . . . . . 15
6.7. BackwardCompatible (G) . . . . . . . . . . . . . . . . . . 16
6.8. JoinControl (H) . . . . . . . . . . . . . . . . . . . . . 17
6.9. OldHangulJamo (I) . . . . . . . . . . . . . . . . . . . . 17
6.10. Unassigned (J) . . . . . . . . . . . . . . . . . . . . . . 17
6.11. ASCII7 (K) . . . . . . . . . . . . . . . . . . . . . . . . 18
6.12. Controls (L) . . . . . . . . . . . . . . . . . . . . . . . 18
6.13. PrecisIgnorableProperties (M) . . . . . . . . . . . . . . 18
6.14. Spaces (N) . . . . . . . . . . . . . . . . . . . . . . . . 18
6.15. Symbols (O) . . . . . . . . . . . . . . . . . . . . . . . 18
Blanchet & Saint-Andre Expires February 20, 2012 [Page 3]
Internet-Draft PRECIS Framework August 2011
6.16. Punctuation (P) . . . . . . . . . . . . . . . . . . . . . 19
6.17. HasCompat (Q) . . . . . . . . . . . . . . . . . . . . . . 19
7. Calculation of the Derived Property . . . . . . . . . . . . . 19
8. Code Points . . . . . . . . . . . . . . . . . . . . . . . . . 20
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
9.1. PRECIS Derived Property Value Registry . . . . . . . . . . 20
9.2. PRECIS Usage Registry . . . . . . . . . . . . . . . . . . 21
10. Security Considerations . . . . . . . . . . . . . . . . . . . 21
10.1. General Issues . . . . . . . . . . . . . . . . . . . . . . 21
10.2. Local Character Set Issues . . . . . . . . . . . . . . . . 22
10.3. Visually Similar Characters . . . . . . . . . . . . . . . 22
10.4. Security of the SecretClass . . . . . . . . . . . . . . . 24
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
12. Codepoints 0x0000 - 0x10FFFF . . . . . . . . . . . . . . . . . 25
12.1. Codepoints in Unicode Character Database (UCD) format . . 25
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
13.1. Normative References . . . . . . . . . . . . . . . . . . . 25
13.2. Informative References . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27
Blanchet & Saint-Andre Expires February 20, 2012 [Page 4]
Internet-Draft PRECIS Framework August 2011
1. Introduction
A number of IETF application technologies use stringprep [RFC3454] as
the basis for comparing protocol strings that contain Unicode
characters or "code points" [UNICODE]. Since the publication of
[RFC3454] in 2002, the Internet community has gained much more
experience with internationalization, some of it reflected in
[RFC4690]. In particular, the IETF's technology for
internationalized domain names (IDNs) has changed significantly:
IDNA2003 [RFC3490], which was based on stringprep, has been
superseded by IDNA2008 ([RFC5890], [RFC5891], [RFC5892], [RFC5893],
[RFC5894]), which does not use stringprep. This migration away from
stringprep for internationalized domain names has prompted other
"customers" of stringprep to consider new approaches to the
preparation and comparison of internationalized strings ("PRECIS"),
as described in [PROBLEM].
This document proposes a technical framework for a post-stringprep
approach to the preparation and comparison of internationalized
strings in application protocols. The framework is based on several
principles:
1. Define a small set of base string classes appropriate for common
application protocol constructs such as usernames, passwords, and
free-form identifiers.
2. Define each base string class in terms of Unicode code points and
their properties, specifying whether each code point or character
category is valid, disallowed, or unassigned.
3. Enable application protocols to subclass the base string classes,
mainly to disallow particular code points that are currently
disallowed in the relevant application protocol (e.g., characters
with special or reserved meaning, such as "@" and "/" when used
as separators within identifiers).
4. Leave various mapping operations (e.g., case preservation or
lowercasing, Unicode normalization, right-to-left characters) as
the responsibility of application protocols, as was done for
IDNA2008 via [RFC5895].
It is expected that this framework will yield the following benefits:
o Application protocols will be more version-agile with regard to
the Unicode database.
o Implementers will be able to share code point tables and software
code across application protocols, most likely by means of
software libraries.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 5]
Internet-Draft PRECIS Framework August 2011
o End users will be able to acquire more accurate expectations about
the code points that are acceptable in various contexts. Given
this more uniform set of string classes, it is also expected that
copy/paste operations between software implementing different
application protocols will be more predictable and coherent.
Although this framework is similar to IDNA2008 and borrows some of
the character categories defined in [RFC5892], it defines additional
string classes and character categories to meet the needs of common
application protocols.
2. Terminology
Many important terms used in this document are defined in [PROBLEM],
[I18N-TERMS], [RFC5890], and [UNICODE].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
3. String Classes
IDNA2008 essentially defines a base string class of internationalized
domain name, although it does not use the term "string class". (This
document does not define a string class for domain names, and
application protocols are strongly encouraged to use IDNA2008 as the
appropriate method to prepare domain names and hostnames.)
We propose the following additional base string classes for use in
application protocols:
NameClass: a sequence of letters, numbers, and symbols that is used
to identify or address a network entity such as a user, an
account, a venue (e.g., a chatroom), an information source (e.g.,
a data feed), or a collection of data (e.g., a file).
SecretClass: a sequence of letters, numbers, and symbols that is
used as a secret for access to some resource on a network (e.g., a
password or passphrase).
FreeClass: a sequence of letters, numbers, symbols, spaces, and
other code points that is used for more expressive purposes in an
application protocol (e.g., a free-form identifier such as a
human-friendly nickname in a chatroom).
Blanchet & Saint-Andre Expires February 20, 2012 [Page 6]
Internet-Draft PRECIS Framework August 2011
The following subsections discuss these string classes in more
detail, with reference to the dimensions described in Section 3 of
[PROBLEM].
Each string class is defined by the following behavioral rules:
Valid: defines which code points and character categories are
treated as valid input to preparation of the string.
Disallowed: defines which code points and character categories are
treated as disallowed during preparation of the string.
Unassigned: defines application behavior in the presence of code
points that are unassigned, i.e. unknown for the version of
Unicode the application is built upon.
Directionality: defines application behavior in the presence of code
points that have directionality, in particular right-to-left code
points as defined in the Unicode database (see [UAX9]).
Casemapping: defines if case mapping is used for this class, and how
the mapping is done.
Normalization: defines which Unicode normalization form (D, KD, C,
or KC) is to be applied (see [UAX15]).
This document defines the valid, disallowed, and unassigned rules.
Application protocols that use the PRECIS string classes MUST define
the directionality, casemapping, and normalization rules, as further
described under Section 9.2.
3.1. NameClass
Most application technologies need a special class of strings that
can be used to refer to, include, or communicate things like
usernames, chatroom names, file names, and data feed names. We group
such things into a bucket called "NameClass" having the following
features.
3.1.1. Valid
o Letters and numbers, i.e., the LetterDigits ("A") category first
defined in [RFC5892] and listed here under Section 6.1.
o Code points in the range U+0021 through U+007E, i.e., the ASCII7
("K") rule defined under Section 6.11. These code points are
valid even if they would otherwise be disallowed according to the
property-based rules specified in the next section.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 7]
Internet-Draft PRECIS Framework August 2011
3.1.2. Disallowed
o Control characters, i.e., the Controls ("L") category defined
under Section 6.12.
o Space characters, i.e., the Spaces ("N") category defined under
Section 6.14.
o Symbol characters, i.e., the Symbols ("O") category defined under
Section 6.15.
o Punctuation characters, i.e., the Punctuation ("P") category
defined under Section 6.16.
o Any character that has a compatibility equivalent, i.e., the
HasCompat ("Q") category defined under Section 6.17. These code
points are disallowed even if they would otherwise be valid
according to the property-based rules specified in the previous
section.
3.1.3. Unassigned
Any code points that are not yet assigned in the Unicode character
set SHALL be considered Unassigned for purposes of the NameClass.
3.1.4. Directionality
The directionality rule MUST be specified by each application
protocol that uses or subclasses the NameClass.
3.1.5. Case Mapping
The casemapping rule MUST be specified by each application protocol
that uses or subclasses the NameClass.
3.1.6. Normalization
The normalization form MUST be specified by each application protocol
that uses or subclasses the NameClass.
However, in accordance with [RFC5198], normalization form C (NFC) is
RECOMMENDED.
3.2. SecretClass
Many application technologies need a special class of strings that
can be used to communicate secrets of the kind that are typically
used as passwords or passphrases. We group such things into a bucket
called "SecretClass" having the following features.
NOTE: Consult Section 10.4 for relevant security considerations.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 8]
Internet-Draft PRECIS Framework August 2011
3.2.1. Valid
o Letters and numbers, i.e., the LetterDigits ("A") category first
defined in [RFC5892] and listed here under Section 6.1.
o Code points in the range U+0021 through U+007E, i.e., the ASCII7
("K") rule defined under Section 6.11. These code points are
valid even if they would otherwise be disallowed according to the
property-based rules specified in the next section.
o Any character that has a compatibility equivalent, i.e., the
HasCompat ("Q") category defined under Section 6.17.
o Symbol characters, i.e., the Symbols ("O") category defined under
Section 6.15.
o Punctuation characters, i.e., the Punctuation ("P") category
defined under Section 6.16.
3.2.2. Disallowed
o Control characters, i.e., the Controls ("L") category defined
under Section 6.12.
o Space characters, i.e., the Spaces ("N") category defined under
Section 6.14.
3.2.3. Unassigned
Any code points that are not yet assigned in the Unicode character
set SHALL be considered Unassigned for purposes of the SecretClass.
3.2.4. Directionality
The directionality rule MUST be specified by each application
protocol that uses or subclasses the SecretClass.
3.2.5. Case Mapping
The casemapping rule MUST be specified by each application protocol
that uses or subclasses the SecretClass.
However, in order to maximize the entropy of passwords and
passphrases, it is NOT RECOMMENDED for application protocols to map
uppercase and titlecase code points to their lowercase equivalents;
instead, it is RECOMMENDED to preserve the case of all code points
contained in string that conform to or subclass the SecretClass.
3.2.6. Normalization
The normalization form MUST be specified by each application protocol
that uses or subclasses the SecretClass.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 9]
Internet-Draft PRECIS Framework August 2011
However, in accordance with [RFC5198], normalization form C (NFC) is
RECOMMENDED.
3.3. FreeClass
Some application technologies need a special class of strings that
can be used in a free-form way (e.g., a nickname in a chatroom). We
group such things into a bucket called "FreeClass" having the
following features.
3.3.1. Valid
o Letters and numbers, i.e., the LetterDigits ("A") category first
defined in [RFC5892] and listed here under Section 6.1.
o Code points in the range U+0021 through U+007E, i.e., the ASCII7
("K") rule defined under Section 6.11.
o Any character that has a compatibility equivalent, i.e., the
HasCompat ("Q") category defined under Section 6.17.
o Space characters, i.e., the Spaces ("N") category defined under
Section 6.14.
o Symbol characters, i.e., the Symbols ("O") category defined under
Section 6.15.
o Punctuation characters, i.e., the Punctuation ("P") category
defined under Section 6.16.
3.3.2. Disallowed
o Control characters, i.e., the Controls ("L") category defined
under Section 6.12.
3.3.3. Unassigned
Any code points that are not yet assigned in the Unicode character
set SHALL be considered Unassigned for purposes of the FreeClass.
3.3.4. Directionality
The directionality rule MUST be specified by each application
protocol that uses or subclasses the FreeClass.
3.3.5. Case Mapping
The casemapping rule MUST be specified by each application protocol
that uses or subclasses the FreeClass.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 10]
Internet-Draft PRECIS Framework August 2011
3.3.6. Normalization
The normalization form MUST be specified by each application protocol
that uses or subclasses the FreeClass.
However, in accordance with [RFC5198], normalization form C (NFC) is
RECOMMENDED.
4. Use of PRECIS String Classes
4.1. Principles
This document defines the valid, disallowed, and unassigned rules.
Application protocols that use the PRECIS string classes MUST define
the directionality, casemapping, and normalization rules. Such
definitions MUST at a minimum specify the following:
Directionality: Whether any instance of the class that contains a
right-to-left code point is to be considered a right-to-left
string, or whether some other rule is to be applied (e.g., the
"Bidi Rule" from [RFC5893]).
Casemapping: Whether uppercase and titlecase code points are to be
(a) preserved or (b) mapped to lowercase.
Normalization: Which Unicode normalization form (D, KD, C, or KC) is
to be applied (see [UAX15] for background information); in
accordance with [RFC5198], NFC is RECOMMENDED.
4.2. Subclassing
Application protocols are allowed to subclass the base string classes
specified in this document. As the word "subclass" implies, a
subclass MUST NOT add as valid any code points or character
categories that are disallowed by the base string class. However, a
subclass MAY do either of the following:
1. Exclude specific code points that are included in the base string
class.
2. Exclude characters matching certain Unicode properties (e.g.,
math symbols) that are included in the base string class.
4.3. Registration
Application protocols that use the PRECIS string classes MUST
register with the IANA as described under Section 9.2. This is
especially important for protocols that subclass the PRECIS string
Blanchet & Saint-Andre Expires February 20, 2012 [Page 11]
Internet-Draft PRECIS Framework August 2011
classes.
5. Code Point Properties
In order to implement the string classes described above, this
document does the following:
1. Reviews and classifies the collections of code points in the
Unicode character set by examining various code point properties.
2. Defines an algorithm for determining a derived property value,
which can vary depending on the string class being used by the
relevant application protocol.
This document is not intended to specify precisely how derived
property values are to be applied in protocol strings. That
information should be defined in the protocol specification that uses
or subclasses a base string class from this document.
The value of the property is to be interpreted as follows.
PROTOCOL VALID Those code points that are allowed to be used in any
PRECIS string class (NameClass, SecretClass, and FreeClass). Code
points with this property value are permitted for general use in
any string class. The abbreviated term PVALID is used to refer to
this value in the remainder of this document.
SPECIFIC CLASS PROTOCOL VALID Those code points that are allowed to
be used in specific string classes. Code points with this
property value are permitted for use in specific string classes.
In the remainder of this document, the abbreviated term *_PVALID
is used, where * = (NAMECLASS | SECRETCLASS | FREECLASS).
CONTEXTUAL RULE REQUIRED Some characteristics of the character, such
as its being invisible in certain contexts or problematic in
others, require that it not be used in labels unless specific
other characters or properties are present. The abbreviated term
CONTEXT is used to refer to this value in the remainder of this
document. There are two subdivisions of CONTEXTUAL RULE REQUIRED,
the first for Join_controls (called CONTEXTJ) and the second for
other characters (called CONTEXTO).
DISALLOWED Those code points that must not be included in any string
class. Code points with this property value are not permitted in
any string class.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 12]
Internet-Draft PRECIS Framework August 2011
SPECIFIC CLASS DISALLOWED Those code points that are not to be
included in a specific string class. Code points with this
property value are not permitted in one of the string classes but
might be permitted in others. In the remainder of this document,
the abbreviated term *_DISALLOWED is used, where * = (NAMECLASS |
SECRETCLASS | FREECLASS).
UNASSIGNED Those code points that are not designated (i.e. are
unassigned) in the Unicode Standard.
The mechanisms described here allow determination of the value of the
property for future versions of Unicode (including characters added
after Unicode 5.2 or 6.0 depending on the category, since some
categories in this document are reused from IDNA2008). Changes in
Unicode properties that do not affect the outcome of this process do
not affect this framework. For example, a character can have its
Unicode General_Category value [UNICODE] change from So to Sm, or
from Lo to Ll, without affecting the algorithm results. Moreover,
even if such changes were to result, the BackwardCompatible list
(Section 6.7) can be adjusted to ensure the stability of the results.
Some code points need to be allowed in exceptional circumstances, but
should be excluded in all other cases; these rules are also described
in other documents. The most notable of these are the Join Control
characters, U+200D ZERO WIDTH JOINER and U+200C ZERO WIDTH NON-
JOINER. Both of them have the derived property value CONTEXTJ. A
character with the derived property value CONTEXTJ or CONTEXTO
(CONTEXTUAL RULE REQUIRED) is not to be used unless an appropriate
rule has been established and the context of the character is
consistent with that rule. It is invalid to generate a string
containing these characters unless such a contextual rule is found
and satisfied. PRECIS does not define its own contextual rules, but
instead re-uses the contextual rules defined for IDNA2008; please see
Appendix A of [RFC5892] for more information.
6. Category Definitions Used to Calculate Derived Property Value
The derived property obtains its value based on a two-step procedure:
1. Characters are placed in one or more character categories either
(1) based on core properties defined by the Unicode Standard or
(2) by treating the code point as an exception and addressing the
code point as its code point value. These categories are not
mutually exclusive.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 13]
Internet-Draft PRECIS Framework August 2011
2. Set operations are used with these categories to determine the
values for a property that is specific to a given string class.
These operations are specified under Section 7.
(NOTE: Unicode property names and property value names might have
short abbreviations, such as "gc" for the General_Category property
and "Ll" for the Lowercase_Letter property value of the gc property.)
In the following specification of character categories, the operation
that returns the value of a particular Unicode character property for
a code point is designated by using the formal name of that property
(from the Unicode PropertyAliases.txt [1]) followed by '(cp)' for
"code point". For example, the value of the General_Category
property for a code point is indicated by General_Category(cp).
The first ten categories (A-J) shown below were previously defined
for IDNA2008 and are copied directly from [RFC5892]. Some of these
categories are reused in PRECIS and some of them are not; however,
the lettering of categories is retained to prevent overlap and to
ease implementation of both IDNA2008 and PRECIS in a single software
application. The next seven categories (K-Q) are specific to PRECIS.
6.1. LetterDigits (A)
NOTE: This category is defined in [RFC5892] and copied here for use
in PRECIS.
A: General_Category(cp) is in {Ll, Lu, Lo, Nd, Lm, Mn, Mc}
These rules identify characters commonly used in mnemonics and often
informally described as "language characters".
For more information, see section 4.5 of [UNICODE].
The categories used in this rule are:
o Ll - Lowercase_Letter
o Lu - Uppercase_Letter
o Lo - Other_Letter
o Nd - Decimal_Number
o Lm - Modifier_Letter
o Mn - Nonspacing_Mark
o Mc - Spacing_Mark
6.2. Unstable (B)
NOTE: This category is defined in [RFC5892] but not used in PRECIS.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 14]
Internet-Draft PRECIS Framework August 2011
6.3. IgnorableProperties (C)
NOTE: This category is defined in [RFC5892] but not used in PRECIS.
See the "PrecisIgnorableProperties (M)" category below for a more
inclusive category used in PRECIS identifiers.
6.4. IgnorableBlocks (D)
NOTE: This category is defined in [RFC5892] but not used in PRECIS.
6.5. LDH (E)
NOTE: This category is defined in [RFC5892] but not used in PRECIS.
See the "ASCII7 (K)" category below for a more inclusive category
used in PRECIS identifiers.
6.6. Exceptions (F)
NOTE: This category is defined in [RFC5892] and might be used in a
future version of this specification.
F: cp is in {00B7, 00DF, 0375, 03C2, 05F3, 05F4, 0640, 0660,
0661, 0662, 0663, 0664, 0665, 0666, 0667, 0668,
0669, 06F0, 06F1, 06F2, 06F3, 06F4, 06F5, 06F6,
06F7, 06F8, 06F9, 06FD, 06FE, 07FA, 0F0B, 3007,
302E, 302F, 3031, 3032, 3033, 3034, 3035, 303B,
30FB}
This category explicitly lists code points for which the category
cannot be assigned using only the core property values that exist in
the Unicode standard. The values are according to the table below:
PVALID -- Would otherwise have been DISALLOWED
00DF; PVALID # LATIN SMALL LETTER SHARP S
03C2; PVALID # GREEK SMALL LETTER FINAL SIGMA
06FD; PVALID # ARABIC SIGN SINDHI AMPERSAND
06FE; PVALID # ARABIC SIGN SINDHI POSTPOSITION MEN
0F0B; PVALID # TIBETAN MARK INTERSYLLABIC TSHEG
3007; PVALID # IDEOGRAPHIC NUMBER ZERO
CONTEXTO -- Would otherwise have been DISALLOWED
00B7; CONTEXTO # MIDDLE DOT
0375; CONTEXTO # GREEK LOWER NUMERAL SIGN (KERAIA)
05F3; CONTEXTO # HEBREW PUNCTUATION GERESH
05F4; CONTEXTO # HEBREW PUNCTUATION GERSHAYIM
30FB; CONTEXTO # KATAKANA MIDDLE DOT
Blanchet & Saint-Andre Expires February 20, 2012 [Page 15]
Internet-Draft PRECIS Framework August 2011
CONTEXTO -- Would otherwise have been PVALID
0660; CONTEXTO # ARABIC-INDIC DIGIT ZERO
0661; CONTEXTO # ARABIC-INDIC DIGIT ONE
0662; CONTEXTO # ARABIC-INDIC DIGIT TWO
0663; CONTEXTO # ARABIC-INDIC DIGIT THREE
0664; CONTEXTO # ARABIC-INDIC DIGIT FOUR
0665; CONTEXTO # ARABIC-INDIC DIGIT FIVE
0666; CONTEXTO # ARABIC-INDIC DIGIT SIX
0667; CONTEXTO # ARABIC-INDIC DIGIT SEVEN
0668; CONTEXTO # ARABIC-INDIC DIGIT EIGHT
0669; CONTEXTO # ARABIC-INDIC DIGIT NINE
06F0; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT ZERO
06F1; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT ONE
06F2; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT TWO
06F3; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT THREE
06F4; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT FOUR
06F5; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT FIVE
06F6; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT SIX
06F7; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT SEVEN
06F8; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT EIGHT
06F9; CONTEXTO # EXTENDED ARABIC-INDIC DIGIT NINE
DISALLOWED -- Would otherwise have been PVALID
0640; DISALLOWED # ARABIC TATWEEL
07FA; DISALLOWED # NKO LAJANYALAN
302E; DISALLOWED # HANGUL SINGLE DOT TONE MARK
302F; DISALLOWED # HANGUL DOUBLE DOT TONE MARK
3031; DISALLOWED # VERTICAL KANA REPEAT MARK
3032; DISALLOWED # VERTICAL KANA REPEAT WITH VOICED SOUND MARK
3033; DISALLOWED # VERTICAL KANA REPEAT MARK UPPER HALF
3034; DISALLOWED # VERTICAL KANA REPEAT WITH VOICED SOUND MARK
UPPER HA
3035; DISALLOWED # VERTICAL KANA REPEAT MARK LOWER HALF
303B; DISALLOWED # VERTICAL IDEOGRAPHIC ITERATION MARK
6.7. BackwardCompatible (G)
NOTE: This category is defined in [RFC5892] and copied here for use
in PRECIS. Because of how the PRECIS string classes are defined,
only changes that would result in code points being added to or
removed from the LetterDigits ("A") category would result in
backward-incompatible modifications to code point assignments.
Therefore, management of this category is handled via the processes
specified in [RFC5892].
G: cp is in {}
Blanchet & Saint-Andre Expires February 20, 2012 [Page 16]
Internet-Draft PRECIS Framework August 2011
This category includes the code points for which property values in
versions of Unicode after 5.2 have changed in such a way that the
derived property value would no longer be PVALID or DISALLOWED. If
changes are made to future versions of Unicode so that code points
might change property value from PVALID or DISALLOWED, then this
table can be updated and keep special exception values so that the
property values for code points stay stable.
6.8. JoinControl (H)
NOTE: This category is defined in [RFC5892] and copied here for use
in PRECIS.
H: Join_Control(cp) = True
This category consists of Join Control characters (i.e., they are not
in LetterDigits (Section 6.1)) but are still required in strings
under some circumstances.
6.9. OldHangulJamo (I)
NOTE: This category is defined in [RFC5892] and copied here for use
in PRECIS.
I: Hangul_Syllable_Type(cp) is in {L, V, T}
This category consists of all conjoining Hangul Jamo (Leading Jamo,
Vowel Jamo, and Trailing Jamo).
Elimination of conjoining Hangul Jamos from the set of PVALID
characters results in restricting the set of Korean PVALID characters
just to preformed, modern Hangul syllable characters. Old Hangul
syllables, which must be spelled with sequences of conjoining Hangul
Jamos, are not PVALID for string classes.
6.10. Unassigned (J)
NOTE: This category is defined in [RFC5892] and copied here for use
in PRECIS.
J: General_Category(cp) is in {Cn} and
Noncharacter_Code_Point(cp) = False
This category consists of code points in the Unicode character set
that are not (yet) assigned. It should be noted that Unicode
distinguishes between 'unassigned code points' and 'unassigned
characters'. The unassigned code points are all but (Cn -
Noncharacters), while the unassigned *characters* are all but (Cn +
Blanchet & Saint-Andre Expires February 20, 2012 [Page 17]
Internet-Draft PRECIS Framework August 2011
Cs).
6.11. ASCII7 (K)
This PRECIS-specific category exempts most characters in the ASCII-7
range from other rules that might be applied during PRECIS
processing, on the assumption that these code points are in such wide
use that disallowing them would be counter-productive.
K: cp is in {0021..007E}
6.12. Controls (L)
L: Control(cp) = True
6.13. PrecisIgnorableProperties (M)
This PRECIS-specific category is used to group code points that are
not recommended for use in PRECIS string classes.
M: Default_Ignorable_Code_Point(cp) = True or
Noncharacter_Code_Point(cp) = True
The definition for Default_Ignorable_Code_Point can be found in the
DerivedCoreProperties.txt [2] file, and at the time of Unicode 6.0 is
as follows:
Other_Default_Ignorable_Code_Point
+ Cf (Format characters)
+ Variation_Selector
- White_Space
- FFF9..FFFB (Annotation Characters)
- 0600..0603, 06DD, 070F (exceptional Cf characters
that should be visible)
6.14. Spaces (N)
This PRECIS-specific category is used to group code points that are
space characters.
N: General_Category(cp) is in {Zs}
6.15. Symbols (O)
This PRECIS-specific category is used to group code points that are
symbols.
O: General_Category(cp) is in {Sc}
Blanchet & Saint-Andre Expires February 20, 2012 [Page 18]
Internet-Draft PRECIS Framework August 2011
6.16. Punctuation (P)
This PRECIS-specific category is used to group code points that are
punctuation marks.
P: General_Category(cp) is in {Pi}
6.17. HasCompat (Q)
This PRECIS-specific category is used to group code points that have
compatibility equivalents as explained in Chapter 2 and Chapter 3 of
[UNICODE].
Q: toNFKC(cp) != cp
The toNFKC() operation returns the code point in normalization form
KC. For more information, see Section 5 of [UAX15].
7. Calculation of the Derived Property
Possible values of the derived property are:
o PVALID
o NAMECLASS_VALID
o SECRETCLASS_VALID
o FREECLASS_VALID
o CONTEXTJ
o CONTEXTO
o DISALLOWED
o NAMECLASS_DISALLOWED
o SECRETCLASS_DISALLOWED
o FREECLASS_DISALLOWED
o UNASSIGNED
NOTE: In some instances, the value of the derived property calculated
depends on the string class (e.g., if an identifier used in an
application protocol is defined as using or subclassing the PRECIS
NameClass, then a space character would be assigned to
NAMECLASS_DISALLOWED).
The algorithm to calculate the value of the derived property is as
follows. (NOTE: Use of the name of a rule (such as "Exception")
implies the set of code points that the rule defines, whereas the
same name as a function call (such as "Exception(cp)") implies the
value that the code point has in the Exceptions table.)
Blanchet & Saint-Andre Expires February 20, 2012 [Page 19]
Internet-Draft PRECIS Framework August 2011
If .cp. .in. Exceptions Then Exceptions(cp);
Else If .cp. .in. BackwardCompatible Then BackwardCompatible(cp);
Else If .cp. .in. Unassigned Then UNASSIGNED;
Else If .cp. .in. ASCII7 Then PVALID;
Else If .cp. .in. JoinControl Then CONTEXTJ;
Else If .cp. .in. PrecisIgnorableProperties Then DISALLOWED;
Else If .cp. .in. Controls Then DISALLOWED;
Else If .cp. .in. OldHangulJamo Then DISALLOWED;
Else If .cp. .in. LetterDigits Then PVALID;
Else If .cp. .in. Spaces Then NAMECLASS_DISALLOWED
or SECRETCLASS_DISALLOWED
or FREECLASS_VALID;
Else If .cp. .in. Symbols Then NAMECLASS_DISALLOWED
or SECRETCLASS_DISALLOWED
or FREECLASS_VALID;
Else If .cp. .in. Punctuation Then NAMECLASS_DISALLOWED
or SECRETCLASS_DISALLOWED
or FREECLASS_VALID;
Else If .cp. .in. HasCompat Then NAMECLASS_DISALLOWED
or SECRETCLASS_VALID
or FREECLASS_VALID;
Else DISALLOWED;
8. Code Points
The Categories and Rules defined in Section 6 and Section 7 apply to
all Unicode code points. The table in Section 12 shows, for
illustrative purposes, the consequences of the categories and
classification rules, and the resulting property values.
The list of code points that can be found in Section 12 is non-
normative. Instead, the rules defined by Section 6 and Section 7 are
normative, and any tables are derived from the rules.
9. IANA Considerations
9.1. PRECIS Derived Property Value Registry
IANA is requested to create a PRECIS-specific registry with the
Derived Properties for the versions of Unicode that are released
after (and including) version 6.0. The derived property value is to
be calculated in cooperation with a designated expert [RFC5226]
according to the specifications in Section 6 and Section 7, and not
by copying the non-normative table found in Section 12.
If during this process (creation of the table of derived property
Blanchet & Saint-Andre Expires February 20, 2012 [Page 20]
Internet-Draft PRECIS Framework August 2011
values) followed by a designated expert review, either backward-
incompatible changes to the table of derived properties are
discovered, or otherwise problems during the creation of the table
arises, that is to be flagged to the IESG. Changes to the rules (as
specified in Section 6 and Section 7) require IETF Review, as
described in [RFC5226].
9.2. PRECIS Usage Registry
IANA is requested to create a registry of application protocols that
use the base string classes. The registry will include one entry for
each use (e.g., if a protocol uses both the NameClass and the
FreeClass then the specification for that protocol would submit two
registrations). In accordance with [RFC5226], the registration
policy is "First Come First Served".
The registration template is as follows:
Application Protocol: [the application protocol that is using or
subclassing the PRECIS string class]
Base Class: [which base class is being used]
Subclassing: [whether the base class is being subclassed and, if so,
where documentation of the subclassing can be found]
Directionality: [the behavioral rule for handling of right-to-left
code points]
Casemapping: [the behavioral rule for handling of case]
Normalization: [which Unicode normalization form is applied]
Specification: [a pointer to relevant documentation, such as an RFC
or Internet-Draft]
10. Security Considerations
10.1. General Issues
The security of applications that use this framework can depend in
part on the proper preparation and comparison of internationalized
strings. For example, such strings can be used to make
authentication and authorization decisions, and the security of an
application could be compromised if an entity providing a given
string is connected to the wrong account or online resource based on
different interpretations of the string.
Specifications of application protocols that use this framework are
encouraged to describe how internationalized strings are used in the
protocol, including the security implications of any false positives
and false negatives that might result from various comparison
operations. For some helpful guidelines, refer to [IDENTIFIER],
Blanchet & Saint-Andre Expires February 20, 2012 [Page 21]
Internet-Draft PRECIS Framework August 2011
[RFC5890], [UTR36], and [UTR39].
10.2. Local Character Set Issues
When systems use local character sets other than ASCII and Unicode,
these specifications leave the problem of converting between the
local character set and Unicode up to the application or local
system. If different applications (or different versions of one
application) implement different rules for conversions among coded
character sets, they could interpret the same name differently and
contact different application servers or other network entities.
This problem is not solved by security protocols, such as Transport
Layer Security (TLS) [RFC5246] and the Simple Authentication and
Security Layer (SASL) [RFC4422], that do not take local character
sets into account.
10.3. Visually Similar Characters
Some characters are visually similar and thus can cause confusion
among humans. Such characters are often called "confusable
characters" or "confusables".
The problem of confusable characters is not necessarily caused by the
use of Unicode code points outside the US-ASCII range. For example,
in some presentations and to some individuals the string "ju1iet"
(spelled with the Arabic numeral one as the third character) might
appear to be the same as "juliet" (spelled with the lowercase version
of the letter "L"), especially on casual visual inspection. This
phenomenon is sometimes called "typejacking".
However, the problem is made more serious by introducing the full
range of Unicode code points into protocol strings. For example, the
characters U+13DA U+13A2 U+13B5 U+13AC U+13A2 U+13AC U+13D2 from the
Cherokee block look similar to the US-ASCII characters "STPETER" as
they might look when presented in a "creative" font.
In some examples of confusable characters, it is unlikely that the
average human could tell the difference between the real string and
the fake string. (Indeed, there is no programmatic way to
distinguish with full certainty which is the fake string and which is
the real string; in some contexts, the string formed of Cherokee
characters might be the real string and the string formed of US-ASCII
characters might be the fake string.) Because PRECIS-compliant
strings can contain almost any properly encoded Unicode code point,
it can be relatively easy to fake or mimic some strings in systems
that use the PRECIS framework. The fact that some strings are easily
confused introduces security vulnerabilities of the kind that have
also plagued the World Wide Web, specifically the phenomenon known as
Blanchet & Saint-Andre Expires February 20, 2012 [Page 22]
Internet-Draft PRECIS Framework August 2011
phishing.
Despite the fact that some specific suggestions about identification
and handling of confusable characters appear in the Unicode Security
Considerations [UTR36], it is also true (as noted in [RFC5890]) that
"there are no comprehensive technical solutions to the problems of
confusable characters". Because it is impossible to map visually
similar characters without a great deal of context (such as knowing
the fonts used), the PRECIS framework does nothing to map similar-
looking characters together, nor does it prohibit some characters
because they look like others.
However, specifications for application protocols that use this
framework MUST describe how confusable characters can be used to
compromise the security of systems that use the protocol in question,
and any protocol-specific suggestions for overcoming those threats.
In particular, software implementations and service deployments that
use PRECIS-based technologies are strongly encouraged to define and
implement consistent policies regarding the registration, storage,
and presentation of visually similar characters. The following
recommendations are appropriate:
1. An application service SHOULD define a policy that specifies the
scripts or blocks of characters that the service will allow to be
registered (e.g., in an account name) or stored (e.g., in a file
name). Such a policy SHOULD be informed by the languages and
scripts that are used to write registered account names; in
particular, to reduce confusion, the service SHOULD forbid
registration or storage of stings that contain characters from
more than one script and to restrict registrations to characters
drawn from a very small number of scripts (e.g., scripts that are
well-understood by the administrators of the service, to improve
manageability).
2. User-oriented application software SHOULD define a policy that
specifies how internationalized strings will be presented to a
human user. Because every human user of such software has a
preferred language or a small set of preferred languages, the
software SHOULD gather that information either explicitly from
the user or implicitly via the operating system of the user's
device. Furthermore, because most languages are typically
represented by a single script or a small set of scripts, and
because and most scripts are typically contained in one or more
blocks of characters, the software SHOULD warn the user when
presenting a string that mixes characters from more than one
script or block, or that uses characters outside the normal range
of the user's preferred language(s). (Such a recommendation is
not intended to discourage communication across different
Blanchet & Saint-Andre Expires February 20, 2012 [Page 23]
Internet-Draft PRECIS Framework August 2011
communities of language users; instead, it recognizes the
existence of such communities and encourages due caution when
presenting unfamiliar scripts or characters to human users.)
10.4. Security of the SecretClass
One goal of passwords and passphrases is to maximize the amount of
entropy, for example by allowing a wide range of code points and by
ensuring that secrets are not prepared in such a way that code points
are compared aggressively. Therefore, it is NOT RECOMMENDED for
application protocols to subclass the SecretClass in a way that
removes entire categories (e.g., by disallowing symbols or
punctuation). Furthermore, it is NOT RECOMMENDED for application
protocols to map uppercase and titlecase code points to their
lowercase equivalents; instead, it is RECOMMENDED to preserve the
case of all code points contained in string that conform to or
subclass the SecretClass.
That said, software implementers need to be aware that there exist
tradeoffs between entropy and usability. For example, allowing a
user to establish a password containing "uncommon" code points might
make it difficult for the user to access an application when using an
unfamiliar or constrained input device.
Some application protocols use passwords and passphrases directly,
whereas others reuse technologies that themselves process passwords
(one example is the Simple Authentication and Security Layer
[RFC4422]). Moreover, passwords are often carried by a sequence of
protocols with backends authentication systems or data storage
systems such as RADIUS [RFC2865] and LDAP [RFC4510]. Developers of
application protocols are encouraged to look into reusing these
profiles instead of defining new ones, so that end-user expectations
about passwords are consistent no matter which application protocol
is used.
11. Acknowledgements
The authors would like to acknowledge the comments and contributions
of the following individuals: David Black, Mark Davis, Alan DeKok,
Martin Duerst, Patrik Faltstrom, Ted Hardie, Joe Hildebrand, Paul
Hoffman, Jeffrey Hutzelman, Simon Josefsson, John Klensin, Alexey
Melnikov, Pete Resnick, Andrew Sullivan, and Dave Thaler.
Some algorithms and textual descriptions have been borrowed from
[RFC5892]. Some text regarding security has been borrowed from
[RFC5890] and [XMPP-ADDR].
Blanchet & Saint-Andre Expires February 20, 2012 [Page 24]
Internet-Draft PRECIS Framework August 2011
12. Codepoints 0x0000 - 0x10FFFF
To follow.
12.1. Codepoints in Unicode Character Database (UCD) format
To follow.
13. References
13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, March 2008.
[UNICODE] The Unicode Consortium, "The Unicode Standard, Version
6.0", 2010,
.
13.2. Informative References
[I18N-TERMS]
Hoffman, P. and J. Klensin, "Terminology Used in
Internationalization in the IETF",
draft-ietf-appsawg-rfc3536bis-06 (work in progress),
July 2011.
[IDENTIFIER]
Thaler, D., "Issues in Identifier Comparison for Security
Purposes", draft-iab-identifier-comparison-00 (work in
progress), July 2011.
[PROBLEM] Blanchet, M. and A. Sullivan, "Stringprep Revision Problem
Statement", draft-ietf-precis-problem-statement-03 (work
in progress), July 2011.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")", RFC 3454,
December 2002.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 25]
Internet-Draft PRECIS Framework August 2011
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006.
[RFC4510] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", RFC 4510,
June 2006.
[RFC4690] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and
Recommendations for Internationalized Domain Names
(IDNs)", RFC 4690, September 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, August 2010.
[RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891, August 2010.
[RFC5892] Faltstrom, P., "The Unicode Code Points and
Internationalized Domain Names for Applications (IDNA)",
RFC 5892, August 2010.
[RFC5893] Alvestrand, H. and C. Karp, "Right-to-Left Scripts for
Internationalized Domain Names for Applications (IDNA)",
RFC 5893, August 2010.
[RFC5894] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Background, Explanation, and
Rationale", RFC 5894, August 2010.
[RFC5895] Resnick, P. and P. Hoffman, "Mapping Characters for
Internationalized Domain Names in Applications (IDNA)
2008", RFC 5895, September 2010.
[UAX15] The Unicode Consortium, "Unicode Standard Annex #15:
Unicode Normalization Forms", September 2010,
.
Blanchet & Saint-Andre Expires February 20, 2012 [Page 26]
Internet-Draft PRECIS Framework August 2011
[UAX9] The Unicode Consortium, "Unicode Standard Annex #9:
Unicode Bidirectional Algorithm", September 2010,
.
[UTR36] The Unicode Consortium, "Unicode Technical Report #36:
Unicode Security Considerations", August 2010,
.
[UTR39] The Unicode Consortium, "Unicode Technical Report #39:
Unicode Security Mechanisms", August 2010,
.
[XMPP-ADDR]
Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Address Format",
draft-saintandre-xmpp-6122bis-01 (work in progress),
July 2011.
URIs
[1]
[2]
Authors' Addresses
Marc Blanchet
Viagenie
2600 boul. Laurier, suite 625
Quebec, QC G1V 4W1
Canada
Email: Marc.Blanchet@viagenie.ca
URI: http://www.viagenie.ca/
Peter Saint-Andre
Cisco
1899 Wyknoop Street, Suite 600
Denver, CO 80202
USA
Phone: +1-303-308-3282
Email: psaintan@cisco.com
Blanchet & Saint-Andre Expires February 20, 2012 [Page 27]