draft-ietf-idn-compare-01.txt

     
Internet Draft                                         Paul Hoffman
draft-ietf-idn-compare-01.txt                            IMC & VPNC
July 11, 2000
Expires in six months                         

Comparison of Internationalized Domain Name Proposals

Status of this memo

This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC 2026.

Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."

     The list of current Internet-Drafts can be accessed at
     http://www.ietf.org/ietf/1id-abstracts.txt

     The list of Internet-Draft Shadow Directories can be accessed at
     http://www.ietf.org/shadow.html.


Abstract

The IDN Working Group is working on proposals for internationalized
domain names that might become a standard in the IETF. Before a single
full proposal can be made, competing proposals must be compared on a
wide range of requirements and desired features. This document compares
the many parts of a comprehensive protocol that have been proposed. It
is the companion document to "Requirements of Internationalized Domain
Names" [IDN-REQ], which lays out the requirements for the
internationalized domain name protocol.


1. Introduction

As the IDN Working Group has discussed the requirements for IDN,
suggestions have been made for various candidate protocols that might
meet the requirements. These proposals have been somewhat helpful in
bringing up real-world needs for the requirements.

It became clear no single proposal had wide agreement from the working
group. In fact, the authors of various proposals found themselves taking
some features from other proposals as they revised their drafts. At the
same time, working group participants were making suggestions for
incremental changes that might affect more than one proposal.

Because of this mixing and matching, it was decided that this IDN
comparisons document should compare features that might end up in the
final protocol, not full protocol suggestions themselves. The features
that had been discussed in the working group were divided by function,
and appear in this document in separate sections. For each function,
there are multiple suggestions for protocol elements that might meet the
requirements that are described in [IDN-REQ].

This document is being discussed on the "idn" mailing list. To join the
list, send a message to <majordomo@ops.ietf.org> with the words
"subscribe idn" in the body of the message. Archives of the mailing list
can also be found at ftp://ops.ietf.org/pub/lists/idn*.

1.1 Format of this document

Each section covers one feature that has been discussed as being part of
the final IDN solution. Within each section, alternate proposals are
listed with the major perceived pros and cons of the proposal. Also,
each proposal is given a label to make discussion of this document (and
of the proposals themselves) easier.

References to the numbered requirements in [IDN-REQ] are from version
-02 of that document. These numbers are expected to change and the
requirements document evolves. In this draft, the requirements are show
as "[#n-02]", where "n" is the requirement number from draft -02 of
[IDN-REQ]. This document only lists where particular proposals don't
meet particular requirmenents from [IDN-REQ], not the ones that they
fulfill.

Note that this document is supposed to reflect the discussion of all
proposed alternatives, not just the ones that fully match the
requirements in [IDN-REQ]. It will serve as a summary of the discussion
in the IDN WG for readers in the future who may want to know why certain
alternatives were not chosen for the eventual protocol.

The proposal drafts covered in this document are:

[DUERST] Character Normalization in IETF Protocols,
draft-duerst-i18n-norm-03

[IDNE] Internationalized domain names using EDNS (IDNE),
draft-ietf-idn-idne-01

[KWAN] Using the UTF-8 Character Set in the Domain Name System,
draft-skwan-utf8-dns-03

[RACE] RACE: Row-based ASCII Compatible Encoding for IDN,
draft-ietf-idn-race-00

[SENG] UTF-5, a transformation format of Unicode and ISO 10646,
draft-jseng-utf5-01

[UDNS] Using the Universal Character Set in the Domain Name System
(UDNS), draft-ietf-idn-udns-00


2. Architecture

One of the biggest questions raised early in the IDN discussion was what
the format of internationalized name parts would be on the wire, that
is, between the user's computer and the DNS resolvers. It was agreed
that the DNS protocols certainly allow non-ASCII octets in domain name
parts and resource records, but there was also acknowledgement that many
protocols that rely on the DNS could not handle non-ASCII names due to
the design of the protocol. Section 3.1 of this document describes the
proposed encodings for the non-ASCII name parts.

Because of requirement [#2-02], there were proposals for
ASCII-compatible encodings (ACEs) of non-ASCII characters. Different
ACEs were proposed (and are discussed in Section 4 of this document),
but they all have the same goal: to allow non-ASCII characters to be
represented in host names that conform to RFC 1034 [RFC1034].

2.1 arch-1: Just send binary

[KWAN] proposes beginning to send characters outside the range allowed
in RFC 1034.

Pro: Easiest to describe. Only changes host name syntax, not any of the
related DNS protocols.

Con: Doesn't work with many exiting protocols that relies on DNS.
Violates requirement [#9-02].

2.2 arch-2: Send binary or ACE

[UDNS] (and, later, [IDNE]) proposes using both binary and ACE formats
on the wire.

Pro: Allows protocols that can handle binary name parts to use them
directly, while allowing protocols that cannot use binary name parts to
also handle names without conversion. Allows domain names in free text
to be displayed in binary even in systems that require ACE-formatted
names on the wire.

Con: Requires all software that uses domain names to handle both
formats. Requires processing time for conversion of ACE formats into the
format must likely used internally to the software.

2.3 arch-3: Just send ACE

[RACE] and [SENG] propose that host naming rules remain the same and
that all internationalize domain names be sent in ACE format.

Pro: No changes at all to current DNS protocols.

Con: Requires all software to recognize ACE domain names and convert
them to human-readable for display. This is true not only in domain
names used on the wire but also domain names used in free text.


3. Names in binary

Both arch-1 and arch-2 include domain name parts that are represented on
the wire in a binary format. This section describes some of the features
of such names.

3.1 bin-1: Format

There are many different charsets and encodings for the scripts of the
world. The WG has discussed which binary encoding should be used on the
wire.

3.1.1 bin-1.1: UTF-8

The IETF policy on character sets [RFC2277] states that UTF-8 [RFC2279]
is the preferred charset for IETF protocols. UTF-8 encodes all
characters in the ISO 10646 repertoire.

Pro: Well-supported in other IETF protocols. Compact for most scripts.
Wide implementation in programming languages. US-ASCII characters have
the same encoding in UTF-8 as they do in US-ASCII. Because it is based
on ISO 10646, expansion of the repertoire comes from respected
international standards bodies.

Con: Asian scripts require three octets per character.

3.1.2 bin-1.2: Labelled charsets

Mailing list discussion mentioned using multiple charsets for the binary
representation. Each name part would be labelled with the charset used.

Pro: Allows users to specify names in the charsets they are most
familiar with.

Con: All resolvers would have to know all charsets. Thus, the number of
charsets would probably have to be limited and never expand. Mapping of
characters between charsets would have to be exact and not change over
time.

3.2 bin-2: Distinguishing binary from current format

Software built for current domain names might give unexpected results
when dealing with non-ASCII characters in domain names. For example, it
was reported on the mailing list that some software crashes when a
non-ASCII domain name is returned for in-addr.arpa requests. Thus, there
may be a need for IDN to prevent software that is not binary-aware from
receiving domain names with binary parts. This would only apply to an
IDN that used arch-2, not arch-1.

3.2.1 bin-2.1: Don't mark binary

[KWAN] does not specify any way of changing requests to prevent binary
name parts from being transmitted.

Pro: No changes to current DNS requests and responses.

Con: Likely to cause disruption in software that is not binary-aware.
Likely to cause systems to misread names and possibly (and incorrectly)
convert them to ASCII names by stripping off the high bit in octets;
this in turn would lead to security problems due to mistaken identities.
Returning binary host names to DNS queries is known to break some
current software.

3.2.2 bin-2.2: Mark binary with IN bit

[UDNS] describes using a bit from the header of DNS queries to mark the
query as possibly containing a binary name part and indicating that the
response to the query can contain binary name parts.

Pro: This bit is currently unused and must be set to zero, so current
software won't use it accidentally. No changes to any other part of the
query or RRs.

Con: It's the last unused bit in the header and DNS folks have indicated
that they are very hesitant to give it up.

3.2.3 bin-2.3: Mark binary with new QTYPEs

[UDNS] using new QTYPEs to mark the query as possibly containing a
binary name part and indicating that the response to the query can
contain binary name parts. QTYPEs are two octets long, and no QTYPEs to
date use more than the lower eight bits, so one of the bits from the
upper octet could be used to indicate binary names.

Pro: These bits are currently unused and must be set to zero, so current
software won't use them accidentally. No changes to any other part of
the query or RRs. Uses a bit that isn't as prized as the IN bit.

Con: Software must pay more attention to the QTYPEs than it might have
previously.

3.2.4 bin-2.4: Mark binary with EDNS

[IDNE] uses EDNS [RFC2671] to mark the query and response as containing
a binary name part.

Pro: There is little use of EDNS at this point, so it is very unlikely
to have bad interactions with old software. EDNS allows longer name
parts, and allows additional information (such as IDN version number)
in each name part.

Con: There is little use of EDNS and this might make implementation
harder.


4. Names in ASCII-compatible encoding (ACE)

Both arch-2 and arch-3 include domain name parts that are represented on
the wire in an ASCII-compatible encoding (ACE). This section describes
some of the features of such names.

4.1 ace-1: Format

A variety of proposals for the format of ACE have been proposed. Each
proposal has different features, such as how many characters can be
encoded within the 63 octet limit for each name part. The length
descriptions in this section assume that there is no distinguishing of
ACE from current names; this is not a likely outcome of the WG work.

The descriptions of lengths is based on script block names from
[BLOCK-NAMES].

4.1.1 ace-1.1: UTF-5

[SENG] Describes UTF-5, which is a fairly direct encoding of ISO 10646
characters using a system similar to UTF-8. Characters from Basic Latin
and Latin-1 Supplement take 2 octets; Latin Extended-A through Tibetan
take 3 octets; Myanmar through the end of BMP take 4 octets; non-BMP
characters take 5 octets. This means that names using all characters
in the Myanmar through the end of BMP are limited to 15 characters.

Pro: Extremely simple.

Con: Poor compression, particularly for Asian scripts.

4.1.2 ace-1.2: RACE

[RACE] describes RACE, which is a two-step algorithm that first
compresses the name part, then converts the compressed string into and
ACE. Name parts in all scripts other than Han, Yi, Hangul syllables,
Ethiopic, and non-BMP take up ceil(1.6*(n+1)) octets; name parts in
those scripts and any name that mixes characters from different rows in
ISO 10646 take up ceil(3.2*(n+1)) octets. This means that names using
Han, Yi, Hangul syllables, or Ethiopic, are limited to 18 characters.
(Note: this document used to be called CIDNUC.)

Pro: Best compression for most scripts, and similar compression for the
scripts where it is not the best.

Con: More complicated than UTF-5. Not well optimized for names that have
mixed scripts, such as non-Latin names that use hyphen or ASCII digits.

4.1.3 ace-1.3: Hex of UTF-8

An early draft described "hex of UTF-8", which is a straight-forward
hexadecimal encoding of UTF-8. Characters in Basic Latin (other than
non-US-ASCII and hyphen) take 3 octets; Latin Extended-A through Tibetan
take 5 octets; Myanmar through end of BMP take 7 octets; non-BMP
characters take 9 octets. This means that names using all characters
in the Myanmar through the end of BMP are limited to 9 characters.

Pros: Very simple to describe.

Cons: Very poor compression for all scripts.

4.1.4 ace-1.5: SACE

A message on the mailing list pointed to code for SACE, an ASCII
encoding that purports to compact to about the same size as UTF-8.

Pros: Similar compression to UTF-8.

Cons: No description of how the algorithm works.

4.2 ace-2: Distinguishing ACE from current names

Software that finds ACE name parts in free text probably should
display the name part using the actual characters, not the ACE
equivalent. Thus, software must be able to identify which ASCII name
parts are ACE and which are non-ACE ASCII parts (such as current names).
This would only apply to an IDN proposal that used arch-2, not arch-3.

4.2.1 ace-2.1: Currently legal names

Name parts that are currently legal in RFC 1034 can be tagged to
indicate the part is encoded with ACE.

4.2.1.1 ace-2.1.1: Add hopefully-unique legal tag

[RACE] proposes adding a hopefully-unique legal tag to the beginning
of the name. The proposal would also work with such a tag at the end of
the name part, but it is easier for most people to recognize at the
beginning of name parts.

Pros: Easy for software (and humans) to recognize.

Cons: There is no way to prevent people from beginning non-ACE names
with the tag. Unless the tag is very unlikely to appear in any name in
any human language, non-ACE names that begin with the tag will display
oddly or be rejected by some systems.

4.2.1.2 ace-2.1.2: Add a checksum

Off-list discussion has mentioned the possibility of creating a checksum
mechanism where the checksum would be added to the beginning (or end) of
ACE name parts.

4.2.2 ace-2.2: Currently illegal names

Instead of creating names that are currently legal, another proposal is
to create names that use the current ASCII characters but are illegal.

4.2.2.1 ace-2.2.1: Add trailing hyphen

An earlier draft described using a trailing hyphen as a signifier of an
ACE name.

Pros: It is surmised that most current software does not reject names
that are illegal in this fashion. Thus, there would be little disruption
to current systems. This mechanism takes up fewer characters than any
proposed in ace-2.1.

Cons: Some current software is will probably break with this mechanism.
It goes against some current protocols that match the rules in RFC 1034.

5. Prohibited characters

There was a short but active discussion on the mailing list about which
characters from the ISO 10646 character set should never appear in host
names. To date, there are no Internet Drafts on the subject. This
section summarizes some of the suggestions.

5.1 prohib-1: Identical and near-identical characters

Some characters are visually identical or incredibly similar to other
characters, thus making it impossible to accurately enter host names
that are seen in print.

5.2 prohib-2: Separators

Horizontal and vertical spacing characters would make it unclear where a
host name begins and ends. Also, allowing periods and period-like
characters as characters within a name part would also cause similar
confusion.

5.3 prohib-3: Non-displaying and non-spacing characters

There are many characters that cannot be seen in the ISO 10646 character
set. These include control characters, non-breaking spaces, formatting
characters, and tagging characters. These characters would certainly
cause confusion if allowed in host names.

5.4 prohib-4: Private use characters

Private use characters from ISO 10646 inherently have no specified
visual form (and in fact can be used for non-displaying characters).
Thus, there could be no visual interoperability for characters in the
private use areas.

5.5 prohib-5: Punctuation

Some punctuation characters are disallowed in URLs because they are used
in URL syntax.

5.6 prohib-6: Symbols

Some mailing list discussion stated that characters that do not normally
appear in human or company names should not be allowed in host names.
This includes symbols and non-name punctuation.


6. Canonicalization

The working group has a spirited discussion on the need for
canonicalization. [IDN-REQ] describes many requirements for when and what
type of canonicalization might be performed.

6.1 canon-1: Type of canonicalization

The Unicode Consortium's recommendations and definitions of
canonicalization [UTR-15] describes many forms of canonicalization that
can be performed on character strings. [DUERST] covers much of the same
ground but makes more focused requirements for canonicalization on the
Internet.

6.1.1 canon-1.1: Normalization Form C

[DUERST] recommends Normalization Form C, as described in [UTR-15], for
use on the Internet. This form is a canonical decomposition, followed by
canonical composition.

6.1.2 canon-1.2: Normalization Form KC

Discussion on the mailing list recommended Normalization Form KC. This
form is a compatibility decomposition, followed by canonical
composition. Compatibility decomposition makes characters that have
compatibility equivalence the same after decomposing.

6.2 canon-2: Other canonicalization

Host names may have special canonicalization needs that can be added to
those given in canon-1.

6.2.1 canon-2.1: Case folding in ASCII

RFC 1034 specifies that there is no difference between host names that
have the same letters but the letters have different case. Thus, the
name part "example" is considered the same as "Example" and "EXamPLe".
Neither uppercase nor lowercase is specified as being canonical.

6.2.2 canon-2.2: Case folding in non-ASCII

Discussion on the mailing list has raised the issue of whether or not
non-ASCII Latin characters should have the same case-folding rules as
ASCII. Such rules would match the expectations of native speakers of
some languages, but would go counter to the expectations of native
speakers of other languages.

6.2.3 canon-2.3: Han folding

Discussion on the mailing list has raised the issue of equivalences in
some languages use of Han characters. For example, in Chinese, there are
many traditional characters that have equivalent simplified characters.
Similarly, there are some Han ideographs for which there are multiple
representations in ISO 10646. There are no well-established rules for
such folding, and some of the proposed folding would be locale-specific.

6.3 canon-3: Location of canonicalization

Canonicalization can be performed in any system in the DNS. Because it
is not a trivial operation and can require large tables, the location of
where canonicalization is performed is important.

6.3.1 canon-3.1: Canonicalize only in the application

Early canonicalization is a cleaner architecture design. Spending the
cycles on the end systems puts less burden on resolvers or servers in
the DNS service. When IDN is first adopted, the applications need to be
updated anyway to handle the new format for the names. It is easier for
people to upgrade their applications than their resolvers if they need a
new IDN feature.

6.3.2 canon-3.2: Canonicalize only in the resolver

Updating a single resolver provides new service to large number of
applications and (possibly) users. It is easier to find canonicalization
bugs in resolvers than in applications because the resolver has
predictable programmatic interfaces. IDN will probably be revised often
as new characters are added to ISO 10646, so updating smaller number of
resolvers is better than revising more applications. When an end user
has a problem with resolving an IDN name, it is much easier to test if
the problem is in the resolver than in the user's application.

6.3.3 canon-3.3: Canonicalize in the DNS service

Canonicalization should happen as late as possible so that changes in
the canonicalization algorithm don't orphan all applications and
resolvers. Some canonicalization discards information and so should be
delayed as long as possible. Canonicalization is practically free,
computationally (although it involves some large tables). Because adding
IDN to the DNS will happen over time, canonicalizing at the server will
minimize the number of things that need to be changed, and simplify and
centralize the process of change.


7. Transitions

Early in the working group discussion, there was active debate about how
the transition from the current host name rules to IDN would be handled.
Given requirement [#1-02], this transition is quite important to
deciding which proposals might be feasible.

7.1 trans-1: Always do current plus new architecture

In this proposal, IDN will be used at the same time as the current DNS
forever. That is, IDN will be in addition to the current DNS.

7.2 trans-2: Transition period

In this proposal, IDN will be used at the same time as the current DNS
for a specified period of time, after which only IDN will exist. That
is, IDN will replace the current DNS.


8. Root server considerations

DNS root servers receive all requests for top-level domains that are not
in the local DNS cache. They are critical to the Internet.  Care must be
taken to ensure that root servers will not be affected by new mechanisms
introduced.

Any IDN proposal that includes a binary encoding will have an impact on
the root servers. The binary requests will affect the root servers
because the current root server software is designed to handle current
host names. Further, the root zone files which contain ccTLDs and gTLDs
would have to support binary domain names and possibly binary host names
for NS records. Because all the root servers are equivalent, they would
have to be synchronized to support the binary domain names at the same
time.

Proposals that only use ACE and use tagging with currently-legal names
would, by definition, not affect the root servers.


9. Security considerations

All security considerations listed in [IDN-REQ] apply to this document.
Further, all security considerations listed in each of the IDN proposals
must be considered when comparing the proposals.

Some proposals described in this document may create new security
considerations. However, these considerations will have to be addressed
in the eventual protocol document. All the proposals described here are
still incomplete and security considerations may be added to them as
they are revised. All the proposals listed in this document use the ISO
10646 character set, so the proposals inherit any security
characteristics of that character set.

Many protocols and applications rely on domain names to identify the
parties involved in a network transaction. For example, a user who
connects to a web site by entering or selecting a URL expects that their
software will select the web site named in the URL. The uniqueness of
domain names are crucial to ensure identification of Internet entities.

To make round-trip translation between local charsets and ISO 10646, the
ISO 10646 specification has assigned multiple code points to individual
glyphs. Moreover, some glyphs might look similar to some users, but look
clearly different by other users. This means that it would be simple for
an attacker to mimic a domain name by using similar-looking but
different glyphs and guessing that some users will not see the
difference in their user interface.

Some IDN protocols may have denial of service attacks, such as by using
non-identified chars, exception characters, or under-specified behavior
in using some special characters.


10. IANA considerations

This document does not create any new IANA registries. However, it is
possible that a character property registry may need to be set up when
the IDN protocol is created in order to list prohibited characters
(section 5) and canonicalization mappings (section 6).


11. Acknowledgements

James Seng and Marc Blanchet gave many helpful suggestions on the
pre-release versions of this document.


12. References

[BLOCK-NAMES] Unicode Consortium,
<ftp://ftp.unicode.org/Public/UNIDATA/Blocks.txt>.

[DUERST] Character Normalization in IETF Protocols,
draft-duerst-i18n-norm-03

[IDN-REQ] Requirements of Internationalized Domain Names,
draft-ietf-idn-requirements-02

[IDNE] Internationalized domain names using EDNS (IDNE),
draft-ietf-idn-idne-01

[KWAN] Using the UTF-8 Character Set in the Domain Name System,
draft-skwan-utf8-dns-03

[RACE] RACE: Row-based ASCII Compatible Encoding for IDN,
draft-ietf-idn-race-00

[RFC2277] IETF Policy on Character Sets and Languages, RFC 2277

[RFC2279] UTF-8, a transformation format of ISO 10646, RFC 2279

[RFC2671] Extension Mechanisms for DNS (EDNS0), RFC 2671

[SENG] UTF-5, a transformation format of Unicode and ISO 10646,
draft-jseng-utf5-01

[UDNS] Using the Universal Character Set in the Domain Name System
(UDNS), draft-ietf-idn-udns-00

[UTR15] Unicode Normalization Forms, Unicode Technical Report #15


A. Differences Between -00 and -01 Drafts

Throughout: Changed references from [HOFFMAN] to [RACE].

Throughout: Changed references from [OSCARSSON] to [UDNS].

Throughout: Added [IDNE].

Removed section 1.2.

3.2.3: Updated to mention [UDNS].

3.2.4: Updated with [IDNE], changed "EDNS0" to "EDNS", and reworded.

4.1.2: Added Ethiopic to the list of scripts that require two octets per
character.

4.1.3: Removed reference to [OSCARSSON] because that is no longer in the
[UDNS] draft.

4.2.2.1: Removed reference to [OSCARSSON] because that is no longer in
the [UDNS] draft.

6.1.1: Reworded first sentence.

6.3: Added entire section and subsections.

8: Fixed typo in first sentence.


B. Author Contact

Paul Hoffman
IMC & VPNC
127 Segre Place
Santa Cruz, CA  95060
phoffman@imc.org or paul.hoffman@vpnc.org