INTERNET-DRAFT Larry Masinter Adobe Systems Incorporated Martin Duerst draft-masinter-url-i18n-07 W3C/Keio University Expires July 2001 January 4, 2001 Internationalized Resource Identifiers (IRI) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This document is not a product of any working group, but may be discussed on the mailing list . For more information on the topic of this internet-draft, please also see [W3C IRI]. Abstract This document defines a new protocol element, an Internationalized Resource Identifier (IRI). An IRI is a sequence of characters from the Universal Character Set [10646]. A mapping from IRIs to URIs [RFC 2396] is defined, which means that IRIs can be used instead of URIs where appropriate to identify resources. Defining a new protocol element was preferred to extending or changing the definition of URIs to allow a clear distinction and to avoid incompatibilities with existing software. Guidelines for the use and deployment of IRIs in various software components that now deal with URIs are provided. 1. Introduction 1.1 Overview and Motivation A URI is defined in [RFC2326] as a sequence of characters chosen from a limited subset of the repertoire of ASCII characters. This document defines a new protocol element, an IRI (Internationalized Resource Identifier) by extending the syntax of URIs to a much wider repertoire of characters. It also defines "internationalized" versions corresponding to other constructs from [RFC2326]. The characters in URIs are frequently used for representing words of natural languages. Using words from natural languages in URIs is very common. Such usage has many advantages: such URIs are easier to memorize, easier to interpret, easier to transcribe, easier to create, and easier to guess. For most languages other than English, however, the natural script uses characters other than A-Z. For many people, handling Latin characters is as difficult as handling the characters of other scripts is for people who use only the Latin alphabet. Many languages with non-Latin scripts do have transcriptions to Latin letters and such transcriptions are now often used in URIs, but they introduce additional ambiguities. The infrastructure for the appropriate handling of characters from local scripts is now widely deployed in local versions of operating system and application software; and software that can handle a wide variety of scripts and languages at the same time is increasing in use. Using characters outside of A-Z in IRIs brings with it some difficulties; a discussion of drawbacks and necessary workarounds can be found in the later sections of this document. URIs often contain Internet host names embedded with them. There is an ongoing discussion of internationalization and host names; the specific issues of the relationship of IRIs and possible future "internationalized" host names are not discussed here. The definition of IRIs here is consistent with the URN syntax [RFC2141] as well as recent URL scheme definitions that define encodings of non-ASCII characters based on (e.g., IMAP URLs [RFC 2192] and POP URLs [RFC 2384]). In these examples, the representation of non-ASCII characters is based on the same mechanism (using UTF-8 and hex encoding, as recommended in [RFC 2718]) as the conversion from IRIs to URIs defined below. As a consequence, when software components are upgraded to handle IRIs, the non-ASCII characters escaped e.g. in in a POP URIs will appear directly as characters in the corresponding IRI. 1.2 Definitions The following definitions are used in this document; they follow the terms in [RFC 2130] and [RFC2277]: character An abstract object with a separate identity. "LATIN CAPITAL LETTER A" is a character. octet 8 bits character repertoire A set of characters (in the Mathematical sense) sequence of characters A sequence (one after another) of characters sequence of octets A sequence (one after another) of octets character encoding A method of representing a sequence of characters as a sequence of octets (maybe with variants). A method of (unambiguously!) converting a sequence of octets into a sequence of characters. code point A placeholder for a character in a character encoding, for example to encode additional characters in future versions of the character encoding. charset The name of a parameter or attribute used to identify a character encoding. 2. IRI Syntax This section defines the syntax of Internationalized Resource Identifiers (IRIs). As with URIs, an IRI is defined as a sequence of characters. This definition accommodates the fact that IRIs may be written on paper or read over the radio as well as being transmitted over the network. Also, the same IRI may be represented as different sequences of octets in different protocols or documents if these protocols or documents use different character encodings. Using the same character encoding as the containing protocol or document assures that the characters in the IRI can be handled (among else displayed) in the same way as the rest of the protocol or document. 2.1 Summary of IRI syntax IRIs are defined similarly to URIs in [RFC2386] (as modified by [RFC2732]), but the class of unreserved characters is extended by adding all the characters of the UCS (Universal Character Set, [ISO10646]) beyond U+0080, subject to the limitations given in Section 3. Otherwise, the syntax and use of components and reserved characters is the same as that in [RFC2396]. All the operations defined in [RFC2396], such as the resolution of relative URIs, can be applied to IRIs by IRI-processing software exactly in the same way as this is done by URI-processing software. Characters outside the ASCII range MUST NOT be used for syntactical purposes such as to delimit components in newly defined schemes. As an example, it is not allowed to use U+00A2, CENT SIGN, as a delimiter, because it is in the iunreserved category, in the same way as it is not possible to use '-' as a delimiter, because it is in the unreserved category. 2.2 ABNF for IRIs While it might be possible to define IRIs merely by their transformation to URIs, it is possible that IRIs are accepted and processed directly in some situations. For this reason, an ABNF definition for IRIs is given here. IRI-reference = [ absoluteIRI | relativeIRI ] [ "#" fragment ] absoluteIRI = scheme ":" ( hier_part | opaque_part ) relativeIRI = ( inet_path | iabs_path | irel_path ) [ "?" iquery ] ihier_part = ( inet_path | iabs_path ) [ "?" i-query ] iopaque_part = iric_no_slash *iric iric_no_slash = iunreserved | escaped | ";" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | "," inet_path = "//" iauthority [ iabs_path ] iabs_path = "/" ipath_segments irel_path = irel_segment [ iabs_path ] irel_segment = 1*( iunreserved | escaped | ";" | "@" | "&" | "=" | "+" | "$" | "," ) iauthority = server | ireg_name ireg_name = 1*( iunreserved | escaped | "$" | "," | ";" | ":" | "@" | "&" | "=" | "+" ) ipath_segments = isegment *( "/" isegment ) isegment = *ipchar *( ";" iparam ) iparam = *ipchar ipchar = iunreserved | escaped | ":" | "@" | "&" | "=" | "+" | "$" | "," iquery = *iric ifragment = *iric iric = reserved | iunreserved | escaped iunreserved = ichar | unreserved ichar = << any character of UCS [ISO10646] beyond U+0080, subject to limitations in Section 3.1. >> The following are the same as [RFC2396] as modified by [RFC2732]: reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | "," | "[" | "]" unreserved = alphanum | mark mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" escaped = "%" HEXDIG HEXDIG server = [ [ userinfo "@" ] hostport ] userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) hostport = host [ ":" port ] host = hostname | IPv4address | IPv6reference ipv6reference = "[" IPv6address "]" hostname = *( domainlabel "." ) toplabel [ "." ] domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum toplabel = alpha | alpha *( alphanum | "-" ) alphanum IPv6address = hexpart [ ":" IPv4address ] IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT IPv6prefix = hexpart "/" 1*2DIGIT hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ] hexseq = hex4 *( ":" hex4) hex4 = 1*4HEXDIG port = *DIGIT scheme = alpha *( alpha | digit | "+" | "-" | "." ) alphanum = alpha | digit alpha = lowalpha | upalpha lowalpha = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" | "i" | "j" | "k" | "l" | "m" | "n" | "o" | "p" | "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x" | "y" | "z" upalpha = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" | "S" | "T" | "U" | "V" | "W" | "X" | "Y" | "Z" 2.3 Mapping of IRIs to URIs This section defines how to convert an IRI to a URI. This mapping has two purposes: a) Syntax limitation: IRIs are valid only if they map to syntactically valid URIs. b) Interpretation: The "meaning" of a IRI--the way than an IRI can be used to identify a resource -- is defined by the mapping: the IRI is translated to a URI which is then used to identify (name, locate, etc.) the appropriate resource. This mapping can be accomplished by the following steps: 1) Represent the IRI characters as a sequence of characters from the UCS. 2) Normalize the character sequence according to Normalization Form C, as defined in [IETFNorm]. (See further discussion in Section 3.1.) 3) For each character that is not in the US-ASCII repertoire, apply the following: 3.1) Convert the character to a sequence of one or more octets using UTF-8 [RFC 2279]. Note: All resulting octets will have values greater than 127. 3.2) Convert each octet to %HH, where HH is the hexadecimal notation of the octet value. Note: This is identical to the escaping mechanism in Section 2.4.1 of [RFC 2396]. 3.3) Replace the original character by the resulting character sequence. In step 3), octets allowed in URIs MUST NOT be escaped further, because they are already in their correct escaping stage in IRIs. The above mapping produces an URI fully conforming to [RFC 2396] out of each IRI. In addition, it results in the identity transformation for URIs. Every URI is therefore by definition an IRI. (This is due to the fact that Normalization Form C does not modify strings of US-ASCII characters.) 2.4 Converting URIs to IRIs In some situations, it might be desirable to convert a URI into an IRI which would be equivalent, especially if it is known that the URI originally resulted from transformation from an IRI, or the URI is an URN or an URL using UTF-8 to encode non-ASCII characters (see last paragraph of Subsection 1.2). However, it is important to note that in the general case, this conversion is not reliable. Many URI schemes and URI components allow arbitrary octets to be encoded. Even when the conversion is successful because the hex-escaped octets in the URI are legal in UTF-8, this may be so just by accident. Due to the regularities in the octet patterns of UTF-8, it is likely that the result is appropriate, but there cannot be a guarantee that the IRI that results is sensible or corresponds to any original meaning. Conversion from an URI to an IRI is done using the following steps: 1) Convert all hexadecimal escapes (% followed by two hexadecimal digits) of %80 and higher to the corresponding octets. (The result is a sequence of intermixed 'characters' and 'octets'; it is necessary to distinguish strictly between characters and octets in this procedure.) 2) Convert all sequences of octets that are strictly legal UTF-8 sequences to the corresponding sequences of characters. Note: The properties of UTF-8 make sure that this will in all cases lead to the same result. 3) Convert back to octets all resulting characters that either do not meet the syntax limitations of Section 3.1 or are identified as unadvisable. 4) Convert all the remaining octets (i.e. those not affected by step 2 and those produced by step 3) back to hexadecimal escapes. This procedure will convert as many escaped non-ASCII characters as possible to characters in an IRI. In some cases, the results will be that only some components of the URI will become unescaped in the resulting IRI, while others will remain escaped. 3. Considerations for use of IRIs 3.1 IRI Character Limitations Not all characters of the UCS are appropriate for use as resource identifiers. This section gives the limitations on characters and character sequences usable for IRIs. a. The repertoire of characters allowed in each IRI component is limited by the definition of that component. For example, the definition of host names in URIs does not allow hex escapes, or "_", or many other punctuation characters. This specification does not relax those limits, and so IRIs may not contain any non-ASCII characters in host names. The scheme component is likewise not extended beyond ASCII. b. Many of the limitations of the repertoire of URIs were selected because of the requirements for transcription: URIs should not contain characters that are difficult for a person to transcribe from a visible representation of the character into typed text; characters that are likely to be used to delimit URIs in text and print were likewise avoided. For this reason, UCS characters similar to those in the categories "space", "delims", and "unwise" in [RFC 2396, Section 2.4.3] should not be used. [More details to be added.] c. The UCS contains many areas of "characters" which have no simple way of typing them. These should be avoided. Characters that fall into this category include Dingbats, Mathematical and other symbols, ligatures and presentation forms. d. The UCS contains many areas of characters for which there are strong visual look-alikes. Because of the likelihood of transcription errors, these also should be avoided. This includes the full-width equivalents of ASCII characters, and half-width Katakana characters for Japanese, and many others. Please note that the likelihood of transcription errors may depend on the context. e. Characters with no visual representation may not be interoperably entered. "Control characters" MUST NOT be used. This includes the traditional ranges of control characters (U+0000-U+001F and U+0080-U+009F) as well as swapping and plane-14 language tag characters. [More details to be added.] f. Some code points are reserved for private use or for special encoding purposes. They are not interoperable. Code points reserved for private use MUST NOT be used. Code points reserved for surrogates MUST NOT be used. g. Where there exist duplicate ways of encoding a certain character as visible to the user, Normalization Form C as defined in [IETFNorm] MUST be used. For reasons of transcribability, many characters have been excluded above. These can nevertheless be encoded in an IRI if necessary. However, they have to be escaped using the procedure in Section 2.3. For example, a space has to be encoded in an URI and in an IRI as %20. A non-breaking space (U+00A0) can be encoded as %C2%A0. 3.2 Bidirectional IRIs for Right-to-Left languages Bidirectional (BIDI) IRIs are IRIs containing characters with an inherent right-to-left writing direction; these require additional attention when being converted from a visual representation to a digital representation and back. In digital representations (as well as when read/spelled), the sequence of components and characters should be in "logical" order: This conforms to the specifications for the UCS and allows generic operations, such as the resolution of relative IRIs, to be carried out without special provisions. A visual representation placing the IRI characters strictly from left to right would make some of its components, such as words written in Arabic or Hebrew, unreadable. On the other hand, an uncontrolled reversion of the whole IRI would make components with Latin or other left-to-right words unreadable, and/or would obscure the sequence of the IRI components. In addition, a direct application of the Unicode bidirectionality algorithm [UNIV3, Section 3.12] would relocate the reserved characters that define the structure of an URI because most of them have neutral directionality. The visual representation of IRIs is therefore defined as follows: - The IRI as a whole is presented from left to right, component by component. Components of an IRI are parts of an IRI that are delimited by reserved characters. - Within each component, the Unicode bidi algorithm is applied, assuming a left-to-right embedding context. For display, this behavior can be achieved by preceding the IRI with an LRE (left to right embedding) character, following it with a PDF (pop directional formatting) character, and preceding and following each reserved character by an LRM (left to right mark) character. In this form, it can be passed to a display engine supporting the Unicode BIDI algorithm. We are requesting feedback on the this approach from the affected communities. 3.3. Processing relative IRIs Processing of relative forms of IRIs against a base is handled straightforwardly; the algorithms of RFC 2396 may be applied directly. Another possibility is to convert both the relative IRI and the base IRI to URIs, then absolutize, and then convert back. If only one of the involved identifiers is an IRI, it should also be converted to an URI. 4. Software requirements This section explains the issues and difficulties in supporting IRIs in the same software components and operations that currently process URIs: software interfaces that handle URIs, software that allows users to enter URIs, software that generates URIs, software that displays URIs, formats that transport URIs, and software that interprets URIs may all require significant modification before functioning properly with IRIs. 4.1 URI/IRI software interfaces Software interfaces that handle URIs, such as URI-handling APIs and protocols transferring URIs, may need modifications before they can handle IRIs. Note that although an IRI is defined as a sequence of characters, software interfaces for URIs typically function on sequences of octets. Thus, it is necessary to define clearly which character encoding is used. In case the current handling is based on ASCII, UTF-8 should be chosen as the encoding for IRIs, because this is compatible with ASCII, is in accordance with the recommendations of [RFC 2277], and makes it easy to convert to URIs where necessary. In any case, the encoding used must not be left undefined. Intermediate software interfaces between IRI-capable components and URI-only components must map the IRIs as per section 2.3 above, when transfering from IRI-capable to URI-only components. The transfer in the other direction requires no mapping, although the mapping described in section 2.4 above may be performed. It is preferable to not to perform this inverse mapping when there is a chance that this cannot be done correctly. For example, if it cannot be checked whether the sequence of %HH escapes corresponds to a valid sequence of UTF-8 octets, unescaping should not be done. 4.2 URI/IRI entry There are components that allow users to enter URIs into the system, e.g., by typing or dictation. This software must be updated to allow for IRI entry. A person viewing a visual representation of an IRI (as a sequence of glyphs, in some order, in some visual display) or hearing an IRI, will use a keyboard entry method for keys in that language to input the IRI. Depending on the script and the input method used, this may be a more or less complicated process. The process of IRI entry must assure, as far as possible, that the limitations defined in Section 3.1 are met. This may be done by choosing appropriate input methods or variants thereof, by appropriately converting the characters being input, by eliminating characters that cannot be converted, and/or by issuing a warning or error message to the user. An input field primarily or only used for the input of URIs/IRIs should allow the user to view an IRI as converted to an URI. Places where the input of IRIs is frequent should provide the possibility for viewing an IRI as converted to an URI. This will help users when some of the software they use does not yet accept IRIs. An IRI input component that interfaces to components that handle URIs, but not IRIs, must escape the IRI before passing it to such a component. The input of IRIs with right-to-left characters requires additional care to keep the visual and the internal representation in synch, and to eliminate control characters and marks used to control the display before passing the IRI over to a resolver. IRI input fields that allow the input of right-to-left characters MUST provide this functionality. IRI input fields that do not provide this functionality MUST NOT allow the input of right-to-left characters. 4.3 URI/IRI generation Systems that are offering resources through the Internet, where those resources have logical names, sometimes automatically generate URIs for the resources they offer. For example, some HTTP servers can generate a 'directory listing' for a file directory under their purview, and then respond to the generated URIs with the files. Many legacy character encodings are in use in various file systems. Many currently deployed systems do not transform the local character representation of the underlying system before generating URIs. For maximum interoperability, systems that generate resource identifiers should do the appropriate transformations. They should use IRIs converted to URIs in cases where it cannot be expected that the recipient is able to handle IRIs. Due to the way most user agents currently work, native IRIs, encoded in UTF-8, may be used if the recipient announces that it can interpret UTF-8. This recommendation in particular applies to HTTP servers. For FTP servers, similar considerations apply, see in particular [RFC 2640]. 4.4 URI/IRI selection In some cases, resource owners and publishers have control over the IRIs used to identify their resources. Such control is mostly executed by controlling the resource names, such as file names, directly. In such cases, it is recommended to avoid choosing IRIs that are easily confused. For example, for ASCII, the lower-case ell "l" is easily confused with the digit one "1", and the upper-case oh "O" is easily confused with the digit zero "0". Publishers should avoid to unintentionally confuse users with "br0ken" or "1ame" identifiers. Outside of the ASCII range, there are many more opportunities for confusion; a complete set of guidelines is too lengthy to include here. As long as names are limited to characters from a single script, native writers of a given script or language will know best when ambiguities can appear, and how they can be avoided. What may look ambiguous to a stranger may be completely obvious to the average native user. Note that the limitations defined in Section 3.1 and the recommendations given here are of a different nature. The limitations defined in Section 3.1 are necessary to avoid duplicate encodings that are artifacts of digital representation and that the user has no way to distinguish visually. On the other hand, in a given context, an identifier such as "BOX0021" can be completely appropriate, and it is impossible to find an algorithm that distinguishes the appropriate from the confusing identifiers. In certain cases, there is a chance that letters from different scripts look the same. The best know example is the Latin 'A', the Greek 'Alpha', and the Cyrillic 'A'. To disambiguate such cases, it should be assumed that all letters in a component are from the same script. This is similar to the heuristics used to distinguish between letters and numbers in the examples above. Also, for the above three scripts, using lower case letters results in much fewer ambiguities than using upper-case letters. 4.5 Display of URI/IRIs Many systems contain software that presents URIs to users as part of the system's user interface (sometimes presenting 'friendly' URIs, i.e., a shortened or more legible subset of the URI.) This section applies to this presentation, as well as to the strategy for printing URIs in magazines, newspapers, or reading them over the radio. Software that displays identifiers to users should follow a general principle: "Don't display something to a user that the user would not be able to enter." The consequences of this principle require judgement about the availability of software that implements the entry methods described in Section 3.2. a) In situations where a viewer is not likely to have software that implements non-ASCII character entry (as described in Section 3.1), or where it can be expected that only a limited range of non-ASCII characters can be entered, any part of an IRI containing characters outside the range allowed in [RFC 2396] or any additions should be escaped before being displayed. b) In situations where a viewer _is_ likely to have such software, IRIs may be displayed directly. For display of BIDI IRIs, please see section 3.2. 4.6 Interpretation of URI/IRIs Software that interprets IRIs as the names of local resources should accept IRIs in multiple forms, and convert and match them with the appropriate local resource names. First, multiple representations includes both IRIs in the native character encoding of the protocol (UTF-8 if not otherwise defined) and also their URI counterparts. Second, it may include URIs constructed based on other character encodings than UTF-8. Such URIs may be produced by user agents that do not conform to this specification and use legacy encodings to convert non-ASCII characters to URIs. Whether this is necessary, and what character encodings to cover, depends on a number of factors, such as the legacy character encodings used locally and the distribution of various versions of user agents. For example, software for Japanese may accept URIs in Shift_JIS and/or EUC-JP in addition to UTF-8. Third, it may include additional mappings to be more user-friendly and robust against transmission errors. These would be similar to how currently some servers treat URIs as case-insensitive, or perform additional matchings to account for spelling errors. For characters beyond the ASCII repertoire, this may e.g. include ignoring the accents on received IRIs or resource names where appropriate. Please note that such mappings, including case mappings, are language-dependent. It may seem to be difficult to unambiguously identify a resource if too many mappings are taken into consideration. This can indeed be the case. However, IRIs escaped to URIs and non-escaped IRIs can always clearly be distinguished. Also, the regularity of UTF-8 makes the potential for collisions lower than it may seem at first sight. 4.7 Transportation of URI/IRIs in document formats Document formats that transport URIs may need to be upgraded to allow the transport of IRIs. In those cases where the document as a whole has a native character encoding, IRIs should also be encoded in this encoding, and converted accordingly by a parser or interpreter. IRI characters that are not expressible in the native encoding should be escaped according to Section 2.2, or may be escaped in another way if the document format provides a way to do this. For example, in HTML, XML, or SGML, numeric character references can be used. Please note that an interpretation of characters in URIs outside the ASCII repertoire as IRIs, conforming to this specification, is already defined as error behavior in HTML 4.0 [HTML4] and in XML 1.0 [XML1]. Also, it is under discussion to require this behavior from all W3C formats [CharMod]. 5. Upgrading strategy As this recommendation places further constraints on software for which many instances are already deployed, it is important to introduce upgrades carefully, and to be aware of the various interdependencies. If IRIs cannot be interpreted correctly, they should not be generated or transported. This suggests that upgrading URI interpreting software to accept IRIs should have highest priority. On the other hand, a single IRI is interpreted only by a single or very few interpreters that are known in advance, while it may be entered and transported very widely. Therefore, IRIs benefit most from a broad upgrade of software to be able to enter and transport IRIs, but before publishing any individual IRI, care should be taken to upgrade the corresponding interpreting software in order to cover the forms expected to be received by various versions of entry and transport software. The upgrade of generating software to generate IRIs instead of a local encoding should happen only after the service is upgraded to accept IRIs. Similarly, IRIs should only be generated when the service accepts IRIs and the intervening infrastructure and protocol is known to transport them safely. Display software should be upgraded only after upgraded entry software has been widely deployed to the population that will see the displayed result. These recommendations, when taken together, will allow for the extension from URIs to IRIs in order to handle scripts other than ASCII while minimizing interoperability problems. 6. Security Considerations If IRI entry software normalizes the characters entered, but the resource names on the interpreting side are not normalized accordingly, and the interpreting software does not take this into account, there is a possibility of "spoofing". Similar possibilities turn up when interpreting software accepts URIs in various native encodings or allows accents and similar things to be ignored. "Spoofing" means that somebody may add a resource name that looks the same or similar to the user while actually being different, or a resource name that contains the same characters, but in a different encoding. The added resource may pretend to be the real resource by looking very similar, but may contain all kinds of changes that may be difficult to spot but can cause all kinds of problems. Conceptually, this is no different from the problems surrounding the use of case-insensitive web servers. For example, a popular web page with a mixed case name (http://big.site/PopularPage.html) might be "spoofed" by someone who obtains access to (http://big.site/popularpage.html). However, the introduction of character normalization, of additional mappings for user convenience, and of mappings for various encodings may increase the number of spoofing possibilities. In some cases, in particular for Latin-based resource names, this is usually easy to detect because UTF-8-encoded names, when interpreted and viewed as legacy encodings, produce mostly garbage. In other cases, when concurrently used encodings have a similar structure, but there are no characters that have exactly the same encoding, detection is more difficult. A good example may be the concurrent use of Shift_JIS and EUC-JP on a Japanese server. Administrators of large sites which allow independent users to create subareas may need to be careful that the aliasing rules do not create chances for spoofing. 7. Acknowledgements The issue addressed here has been discussed at numerous times over the last many years; for example, there was a thread in the HTML working group in August 1995 (under the topic of "Globalizing URIs") in the www-international mailing list in July 1996 (under the topic of "Internationalization and URLs"), and ad-hoc meetings at the Unicode conferences in September 1995 and September 1997. Thanks to Francois Yergeau, Chris Wendt, Yaron Goland, Graham Klyne, Roy Fielding, M.T. Carrasco Benitez, James Clark, Andrea Vine, and many others for help with understanding the issues and possible solutions. Thanks also to the members of the W3C I18N Working Group and Interest Group for their work on [CharMod]. Special thanks to Makoto MURATA for regularly reminding us when an update was due. 8. Copyright Copyright (C) The Internet Society, 1997. All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 9. Author's addresses Larry Masinter Adobe Systems Incorporated Mail Stop W14 345 Park Ave San Jose, CA 95110 mailto: LMM@acm.org http://larry.masinter.net Tel: +1 408 536-3024 Martin J. Duerst W3C/Keio University 5322 Endo, Fujisawa 252-8520 Japan duerst@w3.org http://www.w3.org/People/D%C3%BCrst/ Tel/Fax: +81 466 49 1170 Note: The homepage URI of the second author is the escaped form of an IRI. Note: Please write "Duerst" with u-umlaut wherever possible, e.g. as "Dürst" in XML and HTML. 10. References [CharMod] M. Duerst and F. Yergeau, Ed., Character Model for the World Wide Web, , work in progress. [HTML4] "HTML 4.0", World Wide Web Consortium, . [ISO10646] ISO/IEC, Information Technology - Universal Multiple-Octet Coded Character Set (UCS) - Part 1: Architecture and Basic Multilingual Plane, Oct. 2000, with amendments. [IETFNorm] M. Duerst, M. Davis, "Character Normalization in IETF Protocols", Internet Draft, September 2000, , work in progress. [RFC 2119] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", March 1997. [RFC 2141] R. Moats, "URN Syntax", May 1997. [RFC 2192] C. Newman, "IMAP URL Scheme", September 1997. [RFC 2277] H. Alvestrad, "IETF Policy on Character Sets and Languages". [RFC 2279] F. Yergeau. "UTF-8, a transformation format of ISO 10646.", January 1998. [RFC 2384] R. Gellens, "POP URL Scheme", August 1998. [RFC 2396] T.Berners-Lee, R.Fielding, L.Masinter. "Uniform Resource Identifiers (URI): Generic Syntax." August, 1998. [RFC 2616] R.Fielding, J.Gettys, et al, "Hypertext Transfer Protocol -- HTTP/1.1", June 1999. [RFC 2640] B. Curtis, "Internationalization of the File Transfer Protocol", July 1999. [RFC 2718] L. Masinter, H. Alvestrand, D. Zigmond, R. Petke, "Guidelines for new URL Schemes", November 1999. [RFC 2732] R. Hinden, B. Carpenter, L. Masinter, "Format for Literal IPv6 Addresses in URL's", December 1999. [UNIV3] The Unicode Consortium, "The Unicode Standard Version 3.0", Addison-Wesley, Reading, MA, 2000. [UNI15] M.Davis and M.Duerst, "Unicode Normalization Forms", Unicode Technical Report #15, November 1999. [W3C IRI] Internationalization - URIs and other identifiers . [XML1] "XML 1.0", World Wide Web Consortium Recommendation, .