Network Working Group M. Duerst Internet-Draft W3C Expires: April 25, 2004 M. Suignard Microsoft Corporation October 26, 2003 Internationalized Resource Identifiers (IRIs) draft-duerst-iri-05 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 25, 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document defines a new protocol element, the Internationalized Resource Identifier (IRI), as a complement to the URI [RFCYYYY]. An IRI is a sequence of characters from the Universal Character Set [ISO10646]. A mapping from IRIs to URIs is defined, which means that IRIs can be used instead of URIs where appropriate to identify resources. The approach of defining a new protocol element was chosen, instead of extending or changing the definition of URIs, to allow a clear distinction and to avoid incompatibilities with existing software. Duerst & Suignard Expires April 25, 2004 [Page 1] Internet-Draft Internationalized Resource Identifiers October 2003 Guidelines for the use and deployment of IRIs in various protocols, formats, and software components that now deal with URIs are provided. NOTE This document is a product of the Internationalization Working Group (I18N WG) of the World Wide Web Consortium (W3C). For general discussion, please use the public-iri@w3.org mailing list (publicly archived at http://lists.w3.org/Archives/Public/public-iri/). An issues list for this document is maintained at http://www.w3.org/ International/iri-edit#issues. For more information on the topic of this document, please also see [W3CIRI] and [Duerst01]. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Overview and Motivation . . . . . . . . . . . . . . . . . . 4 1.2 Applicability . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Definitions . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. IRI Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 Summary of IRI Syntax . . . . . . . . . . . . . . . . . . . 7 2.2 ABNF for IRI References and IRIs . . . . . . . . . . . . . . 7 3. Relationship between IRIs and URIs . . . . . . . . . . . . . 10 3.1 Mapping of IRIs to URIs . . . . . . . . . . . . . . . . . . 10 3.2 Converting URIs to IRIs . . . . . . . . . . . . . . . . . . 13 3.2.1 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4. Bidirectional IRIs for Right-to-left Languages . . . . . . . 16 4.1 Logical Storage and Visual Presentation . . . . . . . . . . 16 4.2 Bidi IRI Structure . . . . . . . . . . . . . . . . . . . . . 17 4.3 Input of Bidi IRIs . . . . . . . . . . . . . . . . . . . . . 18 4.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 5. IRI Equivalence and Comparison . . . . . . . . . . . . . . . 20 5.1 Simple String Comparison . . . . . . . . . . . . . . . . . . 20 5.2 Conversion to URIs . . . . . . . . . . . . . . . . . . . . . 21 5.3 Normalization . . . . . . . . . . . . . . . . . . . . . . . 21 5.4 Preferred Forms . . . . . . . . . . . . . . . . . . . . . . 22 6. Use of IRIs . . . . . . . . . . . . . . . . . . . . . . . . 22 6.1 Limitations on UCS Characters Allowed in IRIs . . . . . . . 23 6.2 Software Interfaces and Protocols . . . . . . . . . . . . . 23 6.3 Format of URIs and IRIs in Documents and Protocols . . . . . 23 6.4 Use of UTF-8 for Encoding Original Characters . . . . . . . 24 6.5 Relative IRI References . . . . . . . . . . . . . . . . . . 25 7. URI/IRI Processing Guidelines (informative) . . . . . . . . 25 7.1 URI/IRI Software Interfaces . . . . . . . . . . . . . . . . 25 7.2 URI/IRI Entry . . . . . . . . . . . . . . . . . . . . . . . 26 7.3 URI/IRI Transfer Between Applications . . . . . . . . . . . 26 Duerst & Suignard Expires April 25, 2004 [Page 2] Internet-Draft Internationalized Resource Identifiers October 2003 7.4 URI/IRI Generation . . . . . . . . . . . . . . . . . . . . . 27 7.5 URI/IRI Selection . . . . . . . . . . . . . . . . . . . . . 27 7.6 Display of URIs/IRIs . . . . . . . . . . . . . . . . . . . . 28 7.7 Interpretation of URIs and IRIs . . . . . . . . . . . . . . 28 7.8 Upgrading Strategy . . . . . . . . . . . . . . . . . . . . . 29 8. Security Considerations . . . . . . . . . . . . . . . . . . 30 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 Normative References . . . . . . . . . . . . . . . . . . . . 32 Non-normative References . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 35 Full Copyright Statement . . . . . . . . . . . . . . . . . . 36 Duerst & Suignard Expires April 25, 2004 [Page 3] Internet-Draft Internationalized Resource Identifiers October 2003 1. Introduction 1.1 Overview and Motivation A URI is defined in [RFCYYYY] as a sequence of characters chosen from a limited subset of the repertoire of US-ASCII characters. The characters in URIs are frequently used for representing words of natural languages. Such usage has many advantages: such URIs are easier to memorize, easier to interpret, easier to transcribe, easier to create, and easier to guess. For most languages other than English, however, the natural script uses characters other than A-Z. For many people, handling Latin characters is as difficult as handling the characters of other scripts is for people who use only the Latin alphabet. Many languages with non-Latin scripts have transcriptions to Latin letters. Such transcriptions are now often used in URIs, but they introduce additional ambiguities. The infrastructure for the appropriate handling of characters from local scripts is now widely deployed in local versions of operating system and application software. Software that can handle a wide variety of scripts and languages at the same time is increasingly widespread. Also, there are increasing numbers of protocols and formats that can carry a wide range of characters. This document defines a new protocol element, called IRI (Internationalized Resource Identifier), by extending the syntax of URIs to a much wider repertoire of characters. It also defines "internationalized" versions corresponding to other constructs from [RFCYYYY], such as URI references. Using characters outside of A-Z in IRIs brings with it some difficulties; a discussion of potential problems and workarounds can be found in the later sections of this document. 1.2 Applicability IRIs are designed to be compatible with recent recommendations for new URI schemes [RFC2718]. The compatibility is provided by specifying a well defined and deterministic mapping from the IRI character sequence to the functionally equivalent URI character sequence. Practical use of IRIs (or IRI references) in place of URIs (or URI references) depends on the following conditions being met: a) The protocol or format element used should be explicitly designated to carry IRIs. That is, the intent is not to introduce IRIs into contexts that are not defined to accept them. For example, XML schema [XMLSchema] has an explicit type Duerst & Suignard Expires April 25, 2004 [Page 4] Internet-Draft Internationalized Resource Identifiers October 2003 "anyURI" that designates the use of IRIs. b) The protocol or format carrying the IRIs should have a mechanism to represent the wide range of characters used in IRIs, either natively or by some protocol- or format-specific escaping mechanism (for example numeric character references in [XML1]). c) The URI corresponding to the IRI in question has to encode original characters into octets using UTF-8. For new URI schemes, this is recommended in [RFC2718]. It can apply to a whole scheme (e.g. IMAP URLs [RFC2192] and POP URLs [RFC2384], or the URN syntax [RFC2141]). It can apply to a specific part of a URI, such as the fragment identifier (e.g. [XPointer]). It can apply to a specific URI or part(s) thereof. For details, please see Section 6.4. 1.3 Definitions The following definitions are used in this document; they follow the terms in [RFC2130], [RFC2277] and [ISO10646]: character: A member of a set of elements used for the organization, control, or representation of data. For example, "LATIN CAPITAL LETTER A" names a character. octet: An ordered sequence of eight bits considered as a unit character repertoire: A set of characters (in the mathematical sense) sequence of characters: A sequence (one after another) of characters sequence of octets: A sequence (one after another) of octets (character) encoding: A method of representing a sequence of characters as a sequence of octets (maybe with variants). A method of (unambiguously) converting a sequence of octets into a sequence of characters. charset: The name of a parameter or attribute used to identify a character encoding. UCS: Universal Character Set; the coded character set defined by [ISO10646] and [UNIV4]. Duerst & Suignard Expires April 25, 2004 [Page 5] Internet-Draft Internationalized Resource Identifiers October 2003 IRI reference: The term "IRI reference" denotes the common usage of an internationalized resource identifier. An IRI reference may be absolute or relative. However, the "IRI" that results from such a reference only includes absolute IRIs; any relative IRIs are resolved to their absolute form. Note that in [RFC2396], URIs did not include fragment identifiers, but in [RFCYYYY], fragment identifiers are part of URIs. running text: Human text (paragraphs, sentences, phrases) with syntax according to orthographic conventions of a natural language, as opposed to syntax defined for ease of processing by machines (markup, programming languages,...). 1.4 Notation RFCs and Internet Drafts currently do not allow any characters outside the US-ASCII repertoire. Therefore, this document uses various special notations to denote such characters in examples. In text, characters outside US-ASCII are sometimes referenced by using a prefix of 'U+', followed by four to six hexadecimal digits. To represent characters outside US-ASCII in examples, this document uses two notations called 'XML Notation' and 'Bidi Notation'. XML Notation uses leading '&#x', trailing ';', and the hexadecimal number of the character in the UCS in between. Example: я stands for CYRILLIC CAPITAL LETTER YA. In this notation, an actual '&' is denoted by '&'. Bidi Notation is used for bidirectional examples: lower case ASCII letters stand for Latin letters or other letters that are written left-to-right, whereas upper case letters represent Arabic or Hebrew letters that are written right-to-left. To denote actual octets in examples (as opposed to escaped octets), the two hex digits denoting the octet are enclosed in "<" and ">". For example, the octet often denoted as 0xc9 is denoted here as . The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. IRI Syntax This section defines the syntax of Internationalized Resource Identifiers (IRIs). Duerst & Suignard Expires April 25, 2004 [Page 6] Internet-Draft Internationalized Resource Identifiers October 2003 As with URIs, an IRI is defined as a sequence of characters, not as a sequence of octets. This definition accommodates the fact that IRIs may be written on paper or read over the radio as well as being stored or transmitted digitally. The same IRI may be represented as different sequences of octets in different protocols or documents if these protocols or documents use different character encodings (and/ or transfer encodings). Using the same character encoding as the containing protocol or document assures that the characters in the IRI can be handled (searched, converted, displayed,...) in the same way as the rest of the protocol or document. 2.1 Summary of IRI Syntax IRIs are defined similarly to URIs in [RFCYYYY], but the class of unreserved characters is extended by adding the characters of the UCS (Universal Character Set, [ISO10646]) beyond U+007F, subject to the limitations given in the syntax rules below and in Section 6.1. Otherwise, the syntax and use of components and reserved characters is the same as that in [RFCYYYY]. All the operations defined in [RFCYYYY], such as the resolution of relative URIs, can be applied to IRIs by IRI-processing software in exactly the same way as this is done to URIs by URI-processing software. Characters outside the US-ASCII range are not reserved and therefore MUST NOT be used for syntactical purposes such as to delimit components in newly defined schemes. As an example, it is not allowed to use U+00A2, CENT SIGN, as a delimiter in IRIs, because it is in the 'iunreserved' category, in the same way as it is not possible to use '-' as a delimiter, because it is in the 'unreserved' category in URIs. 2.2 ABNF for IRI References and IRIs While it might be possible to define IRI references and IRIs merely by their transformation to URI references and URIs, they can also be accepted and processed directly. Therefore, an ABNF definition for IRI references (which are the most general concept and the start of the grammar) and IRIs is given here. The syntax of this ABNF is described in [RFC2234]. Character numbers are taken from the UCS, without implying any actual binary encoding. Terminals in the ABNF are characters, not bytes. The following rules are different from [RFCYYYY]: IRI-reference = IRI / relative-IRI IRI = scheme ":" ihier-part [ "?" iquery ] [ "#" ifragment ] Duerst & Suignard Expires April 25, 2004 [Page 7] Internet-Draft Internationalized Resource Identifiers October 2003 absolute-IRI = scheme ":" ihier-part [ "?" iquery ] relative-IRI = ihier-part [ "?" iquery ] [ "#" ifragment ] ihier-part = inet-path / iabs-path / irel-path inet-path = "//" iauthority [ iabs-path ] iabs-path = "/" ipath-segments irel-path = ipath-segments iauthority = [ iuserinfo "@" ] ihost [ ":" port ] iuserinfo = *( iunreserved / escaped / ";" / ":" / "&" / "=" / "+" / "$" / "," ) ihost = [ IPv6reference / IPv4address / ihostname ] ihostname = idomainlabel iqualified iqualified = *( "." idomainlabel ) [ "." ] idomainlabel = <> ipath-segments = ipath-segment *( "/" ipath-segment ) ipath-segment = *ipchar ipchar = iunreserved / escaped / ";" / ":" / "@" / "&" / "=" / "+" / "$" / "," iquery = *( ipchar / iprivate / "/" / "?" ) ifragment = *( ipchar / "/" / "?" ) iric = reserved / iunreserved / escaped iunreserved = unreserved / ucschar ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF / / %x10000-1FFFD / %x20000-2FFFD / %x30000-3FFFD / %x40000-4FFFD / %x50000-5FFFD / %x60000-6FFFD / %x70000-7FFFD / %x80000-8FFFD / %x90000-9FFFD / %xA0000-AFFFD / %xB0000-BFFFD / %xC0000-CFFFD / %xD0000-DFFFD / %xE1000-EFFFD iprivate = %xE000-F8FF / %xF0000-FFFFD / %x100000-10FFFD Duerst & Suignard Expires April 25, 2004 [Page 8] Internet-Draft Internationalized Resource Identifiers October 2003 The 'idomainlabel' production rule is as follows: The value 'idomainlabel' is defined as a string of 'ucschar' obeying the following rules: a) Given a string of 'ucschar' values, the ToASCII operation [RFC3490] is performed on that string with the flag UseSTD3ASCIIRules set to TRUE and the flag AllowUnassigned set to FALSE for creating IRIs and set to TRUE otherwise. b) ToASCII is successful. (Note: This means that its output conforms to 'domainlabel' as defined below.) The following are the same as [RFCYYYY]: scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ) port = *DIGIT domainlabel = alphanum [ 0*61( alphanum | "-" ) alphanum ] alphanum = ALPHA / DIGIT IPv4address = dec-octet "." dec-octet "." dec-octet "." dec-octet dec-octet = DIGIT ; 0-9 / ( %x31-39 DIGIT ) ; 10-99 / ( "1" 2DIGIT ) ; 100-199 / ( "2" %x30-34 DIGIT ) ; 200-249 / ( "25" %x30-35 ) ; 250-255 IPv6reference = "[" IPv6address "]" IPv6address = 6( h4 ":" ) ls32 / "::" 5( h4 ":" ) ls32 / [ h4 ] "::" 4( h4 ":" ) ls32 / [ *1( h4 ":" ) h4 ] "::" 3( h4 ":" ) ls32 / [ *2( h4 ":" ) h4 ] "::" 2( h4 ":" ) ls32 / [ *3( h4 ":" ) h4 ] "::" h4 ":" ls32 / [ *4( h4 ":" ) h4 ] "::" ls32 / [ *5( h4 ":" ) h4 ] "::" h4 / [ *6( h4 ":" ) h4 ] "::" h4 = 1*4HEXDIG ls32 = ( h4 ":" h4 ) / IPv4address reserved = "/" / "?" / "#" / "[" / "]" / ";" / ":" / "@" / "&" / "=" / "+" / "$" / "," Duerst & Suignard Expires April 25, 2004 [Page 9] Internet-Draft Internationalized Resource Identifiers October 2003 unreserved = ALPHA / DIGIT / mark mark = "-" / "_" / "." / "!" / "~" / "*" / "'" / "(" / ")" escaped = "%" HEXDIG HEXDIG 3. Relationship between IRIs and URIs IRIs are meant to replace URIs in identifying resources for protocols, formats and software components which use a UCS-based character repertoire. These protocols and components may never need to use URIs directly, especially when the resource identifier is used simply for identification purposes. However, when the resource identifier is used for resource retrieval, it is in many cases necessary to determine the associated URI because most retrieval mechanisms currently only are defined for URIs. (Additional rationale is given in Section 3.1.) 3.1 Mapping of IRIs to URIs This section defines how to map an IRI to a URI. Everything in this section applies also to IRI references and URI references, as well as components thereof (for example fragment identifiers). This mapping has two purposes: a) Syntactical: Many URI schemes and components define additional syntactical restrictions not captured in Section 2.2. Such restrictions can be applied to IRIs by noting that IRIs are only valid if they map to syntactically valid URIs. This means that such syntactical restrictions do not have to be defined again on the IRI level. b) Interpretational: URIs identify resources in various ways. IRIs also identify resources. When the IRI is used solely for identification purposes, it is not necessary to map the IRI to a URI (see Section 5). However, when an IRI is used for resource retrieval, the resource that the IRI locates is the same as the one located by the URI obtained after converting the IRI according to the procedure defined here. This means that there is no need to define resolution separately on the IRI level. Applications MUST map IRIs to URIs using the following two steps. Step 1) This step generates a UCS-based encoding from the original Duerst & Suignard Expires April 25, 2004 [Page 10] Internet-Draft Internationalized Resource Identifiers October 2003 IRI format. This step has three variants, depending on the form of the input. Variant A) If the IRI is written on paper or read out loud, or otherwise represented as a sequence of characters independent of any encoding: Represent the IRI as a sequence of characters from the UCS normalized according to Normalization Form C (NFC, [UTR15]). Variant B) If the IRI is in some digital representation (e.g. an octet stream) in some known non-Unicode encoding: Convert the IRI to a sequence of characters from the UCS normalized according to NFC. Variant C) If the IRI is in an Unicode-based encoding (for example UTF-8 or UTF-16): Do not normalize. Move directly to Step 2. Step 2) If the IRI contains an 'ihostname' part, replace this 'ihostname' part by the part converted using the ToASCII operation specified in Section 4.1 of [RFC3490], with the flag UseSTD3ASCIIRules set to TRUE and the flag AllowUnassigned set to FALSE for creating IRIs and set to TRUE otherwise. The ToASCII operation may fail, but only if the IRI does not conform to the rules in Section 2.2. Step 3) For each character that is disallowed in URI references, apply steps 1) through 3) below. The disallowed characters consist of all non-ASCII characters allowed in IRIs. 1) Convert the character to a sequence of one or more octets using UTF-8 [RFCXXXX]. 2) Convert each octet to %HH, where HH is the hexadecimal notation of the octet value. Note: This is identical to the escaping mechanism in Section 2.4.1 of [RFCYYYY]. To reduce variability, the hexadecimal notation SHOULD use upper case letters. 3) Replace the original character by the resulting character sequence (i.e. a sequence of %HH triplets). The above mapping from IRIs to URIs produces URIs fully conforming to [RFCYYYY]. The mapping is also an identity transformation for URIs and is idempotent -- applying the mapping a second time will not change anything. Every URI is by definition an IRI. Infrastructure accepting IRIs MAY also deal with 'ihostname' parts Duerst & Suignard Expires April 25, 2004 [Page 11] Internet-Draft Internationalized Resource Identifiers October 2003 escaped according to Step 3) rather than Step 2). For example, Step 2) converts the IRI http://résumé.example.org to http://xn--rsum-bpad.example.org. For backward compatibility, http://r%C3%A9sum%C3%A9.example.org would also be converted to http://xn--rsum-bpad.example.org. Infrastructure accepting IRIs MAY also deal with the printable characters in US-ASCII that are not allowed in URIs, namely "<", ">", '"', Space, "{", "}", "|", "\", "^", and "`", in step 3) above. If such characters are found but are not converted, then the conversion SHOULD fail. Please note that the number sign ("#"), the percent sign ("%"), and the square bracket characters ("[", "]") are not part of the above list, and MUST NOT be converted. Protocols and formats that have used earlier definitions of IRIs including these characters MAY require unescaping of these characters as a preprocessing step to extract the actual IRI from a given field. Such preprocessing MAY also be used by applications allowing the user to enter an IRI. Internationalized Domain Names may be contained in parts of an IRI other than the 'ihostname' part. In this case, Step 2) is not used, but Step 3) is applied. This is important to maintain uniform treatment of URIs. See [Gettys] for an in- depth discussion. It is the responsibility of scheme-specific implementations (if the Internationalized Domain Name is part of the scheme syntax) or of server-side implementations (if the Internationalized Domain Name is part of 'iquery') to apply the necessary conversions at the appropriate point. Example: Trying to validate the Web page at http://résumé.example.org would lead to an IRI of http://validator.w3.org/ check?uri=http%3A%2F%2Frésumé.example.org, which would convert to a URI of http://validator.w3.org/ check?uri=http%3A%2F%2Fr%C3%A9sum%C3%A9.example.org. The server side implementation would be responsible to do the necessary conversions in order to be able to retrieve the Web page. In this process (in step 3.3), characters allowed in URI references as well as existing escape sequences are not escaped further. (This mapping is similar to, but different from, the escaping applied when including arbitrary content into some part of a URI.) For example, an IRI of http://www.example.org/red%09rosé#red (in XML notation) is converted to http://www.example.org/red%09ros%C3%A9#red, not to something like Duerst & Suignard Expires April 25, 2004 [Page 12] Internet-Draft Internationalized Resource Identifiers October 2003 http%3A%2F%2Fwww.example.org%2Fred%2509ros%C3%A9%23red. Some older software transcoding to UTF-8 may produce illegal output for some input, in particular for characters outside the BMP (Basic Multilingual Plane). As an example, for the following IRI with non-BMP characters (in XML Notation): http://example.com/𐌀𐌁𐌂 (the first three letters of the Old Italic alphabet) the correct conversion to a URI is: http://example.com/%F0%90%8C%80%F0%90%8C%81%F0%90%8C%82 3.2 Converting URIs to IRIs In some situations, it may be desirable to try to convert a URI into an equivalent IRI. This section gives a procedure to do such a conversion. The conversion described in this section will always result in an IRI which maps back to the URI that was used as an input for the conversion (except for potential case differences in escape sequences). However, the IRI resulting from this conversion may not be exactly the same as the original IRI (if there ever was one). URI to IRI conversion removes escape sequences, but not all escaping can be eliminated. There are several reasons for this: a) Some escape sequences are necessary to distinguish escaped and unescaped uses of reserved characters. b) Some escape sequences cannot be interpreted as sequences of UTF-8 octets. (Note: The octet patterns of UTF-8 are highly regular. Therefore, there is a very high probability, but no guarantee, that escape sequences that can be interpreted as sequences of UTF-8 octets actually originated from UTF-8. For a detailed discussion, see [Duerst97].) c) The conversion may result in a character that is not appropriate in an IRI. See Section 6.1 for further details. Conversion from a URI to an IRI is done using the following steps (or any other algorithm that produces the same result): 1) Represent the URI as a sequence of octets in US-ASCII. 2) Apply the ToUnicode operation to each 'domainlabel' in the 'hostname' part (if there is one), representing the output as UTF-8. Duerst & Suignard Expires April 25, 2004 [Page 13] Internet-Draft Internationalized Resource Identifiers October 2003 3) Convert all hexadecimal escapes (% followed by two hexadecimal digits) except those corresponding to '%', characters in 'reserved', and characters in US-ASCII not allowed in URIs, to the corresponding octets. 4) Re-escape any octet produced in step 3) that is not part of a strictly legal UTF-8 octet sequence. 5) Re-escape all octets produced in step 3) that in UTF-8 represent characters that are not appropriate according to Section 4.1 and Section 6.1. 6) Interpret the resulting octet sequence as a sequence of characters encoded in UTF-8. This procedure will convert as many escaped non-ASCII characters as possible to characters in an IRI. Because there are some choices when applying step 5) (see Section 6.1), results may vary. Conversions from URIs to IRIs MUST NOT use any other encoding than UTF-8 in steps 2), 4) and 5) above, even if it might be possible from context to guess that another encoding than UTF-8 was used in the URI. As an example, the URI http://www.example.org/r%E9sum%E9.html might with some guessing be interpreted to contain two e-acute characters encoded as iso-8859-1. It must not be converted to an IRI containing these e-acute characters. Otherwise, the IRI will in the future be mapped to http://www.example.org/r%C3%A9sum%C3%A9.html, which is a different URI from http://www.example.org/r%E9sum%E9.html. 3.2.1 Examples This section shows various examples of converting URIs to IRIs. The notation is used to denote octets outside those that can be represented in this document. Each example shows the result after applying each of the steps 1) to 6). XML Notation is used for the final result. The following example contains the sequence '%C3%BC', which is a strictly legal UTF-8 sequence, and which is converted into the actual character U+00FC LATIN SMALL LETTER U WITH DIAERESIS (also known as u-umlaut). 1) http://www.example.org/D%C3%BCrst 2) http://www.example.org/D%C3%BCrst 3) http://www.example.org/Drst Duerst & Suignard Expires April 25, 2004 [Page 14] Internet-Draft Internationalized Resource Identifiers October 2003 4) http://www.example.org/Drst 5) http://www.example.org/Drst 6) http://www.example.org/Dürst The following example contains the sequence '%FC', which might represent U+00FC LATIN SMALL LETTER U WITH DIAERESIS in the iso-8859-1 encoding. (It might represent other characters in other encodings. For example, the octet in iso-8859-5 represents U+045C CYRILLIC SMALL LETTER KJE.) Because is not part of a strictly legal UTF-8 sequence, it is re-escaped in step 2). 1) http://www.example.org/D%FCrst 2) http://www.example.org/D%FCrst 3) http://www.example.org/Drst 4) http://www.example.org/D%FCrst 5) http://www.example.org/D%FCrst 6) http://www.example.org/D%FCrst The following example contains '%e2%80%ae', which is the escaped UTF-8 encoding of U+202E, RIGHT-TO-LEFT OVERRIDE. Section 4.1 forbids the direct use of this character in an IRI. Therefore, the corresponding octets are re-escaped in step 5). This example shows that the case (upper or lower) of letters used in escapes may not be preserved. The example also contains a punycode-encoded domain name label (xn--99zt52a), which is converted to the corresponding characters U+7D0D U+8C46 (Japanese Natto). 1) http://xn--99zt52a.example.org/%e2%80%ae 2) http://<8d><86>.example.org/%e2%80%ae 3) http://<8d><86>.example.org/<80> 4) http://<8d><86>.example.org/<80> 5) http://<8d><86>.example.org/%E2%80%AE 6) http://納豆.example.org/%E2%80%AE Duerst & Suignard Expires April 25, 2004 [Page 15] Internet-Draft Internationalized Resource Identifiers October 2003 4. Bidirectional IRIs for Right-to-left Languages Some UCS characters, such as those used in the Arabic and Hebrew script, have an inherent right-to-left (rtl) writing direction. IRIs containing such characters (called bidirectional IRIs or Bidi IRIs) require additional attention because of the non-trivial relation between logical representation (used for digital representation as well as when reading/spelling) and visual representation (used for display/printing). Because of the complex interaction between the logical representation, the visual representation, and the syntax of a Bidi IRI, a balance is needed between various requirements. The main requirements are: 1) user-predictable conversion between visual and logical representation; 2) the ability to include a wide range of characters in various parts of the IRI; 3) minor or no changes or restrictions for implementations. 4.1 Logical Storage and Visual Presentation When stored or transmitted in digital representation, bidirectional IRIs MUST be in full logical order, and MUST conform to the IRI syntax rules (which includes the rules relevant to their scheme). This assures that bidirectional IRIs can be processed in the same way as other IRIs. When rendered, bidirectional IRIs MUST be rendered using the Unicode Bidirectional Algorithm [UNIV4], [UNI9]. Bidirectional IRIs MUST be rendered with an overall left-to-right (ltr) direction. In text with a left-to-right base directionality or embedding (such as used for English or Cyrillic), the Unicode Bidirectional Algorithm will automatically use an overall ltr direction for the IRI. In text with a rtl base directionality or embedding (such as used for Arabic or Hebrew), setting a different embedding direction for the IRI is needed. Setting the embedding direction can be done in a higher- order protocol (e.g. the dir='ltr' attribute in HTML). If this is not available (e.g. in plain text), setting the embedding is done with Unicode bidi formatting codes, i.e. U+202A, LEFT-TO-RIGHT EMBEDDING (LRE) before the IRI, and U+202C, POP DIRECTIONAL FORMATTING (PDF) after the IRI, both not being part of the IRI itself. Duerst & Suignard Expires April 25, 2004 [Page 16] Internet-Draft Internationalized Resource Identifiers October 2003 IRIs MUST NOT contain bidirectional formatting characters (LRM, RLM, LRE, RLE, LRO, RLO, and PDF). They affect the visual rendering of the IRI, but do not themselves appear visually. It would therefore not be possible to correctly input an IRI with such characters. 4.2 Bidi IRI Structure The Unicode Bidirectional Algorithm is designed mainly for running text. To make sure that it does not affect the rendering of bidirectional IRIs too much, some restrictions on bidirectional IRIs are necessary. These restrictions are given in terms of delimiters (structural characters, mostly punctuation such as '@', '.', ':', '/') and components (usually consisting mostly of letters and digits). The following syntax rules from Section 2.2 correspond to components for the purpose of Bidi behavior: iuserinfo, ipath-segment, ihostname, iquery, and ifragment. Specifications that define the syntax of any of the above components MAY divide them further and define smaller parts to be components according to this document. As an example, the restrictions of [RFC3490] on bidirectional domain names correspond to treating each label of the domain name as a component. Even where the components are not defined formally, it may be helpful to think about some syntax in terms of components and to apply the relevant restrictions. For example, for the usual name/value syntax in query parts, it is convenient to treat each name and each value as a component. As another example, the extensions in a resource name can be treated as separate components. For each component, the following restrictions apply: 1) A component SHOULD NOT not use both right-to-left and left-to- right characters. 2) A component using right-to-left characters SHOULD start and end with right-to-left characters. The above restrictions are given as shoulds, rather than as musts. For IRIs that are never presented visually, they are not relevant. However, for IRIs in general, they are very important to insure consistent conversion between visual presentation and logical representation, in both directions. In some components, the above restrictions may actually be strictly enforced. For example, [RFC3490] requires that these restrictions apply to the labels of the host name part of an Duerst & Suignard Expires April 25, 2004 [Page 17] Internet-Draft Internationalized Resource Identifiers October 2003 IRI. In some other components, for example path components, following these restrictions may not be too difficult. For other components, such as parts of the query part, it may be very difficult to enforce the restrictions, because the values of query parameters may be arbitrary character sequences. If the above restrictions cannot be satisfied otherwise, the affected component can always be mapped to URI notation as described in Section 3.1. Please note that the whole component needs to be mapped (see also Example 9 below). 4.3 Input of Bidi IRIs Bidi input methods MUST generate Bidi IRIs in logical order while rendering them according to Section 4.1. During input, rendering SHOULD be updated after every new character that is input to avoid end user confusion. 4.4 Examples This section gives examples of bidirectional IRIs, in Bidi Notation. It shows legal IRIs with the relationship between logical and visual representation, and explains how certain phenomena in this relationship may look strange to somebody not familiar with bidirectional behavior, but familiar to users of Arabic and Hebrew. It also shows what happens if the restrictions given in Section 4.2 are not followed. The examples below can be seen at [BidiEx], in Arabic, Hebrew, and Bidi Notation variants. To read the bidi text in the examples, read the visual representation from left to right until you encounter a block of rtl text. Read the rtl block (including slashes and other special characters) from right to left, then continue at the next unread ltr character. Example 1: A single component with rtl characters is inverted: logical representation: http://ab.CDEFGH.ij/kl/mn/op.html visual representation: http://ab.HGFEDC.ij/kl/mn/op.html Components can be read one-by-one, and each component can be read in its natural direction. Example 2: More than one consecutive component with rtl characters is inverted as a whole: logical representation: http://ab.CDE.FGH/ij/kl/mn/op.html visual representation: http://ab.HGF.EDC/ij/kl/mn/op.html A sequence of rtl components is read rtl, in the same way as a sequence of rtl words is read rtl in a bidi text. Example 3: All components of an IRI (except for the scheme) are rtl. Duerst & Suignard Expires April 25, 2004 [Page 18] Internet-Draft Internationalized Resource Identifiers October 2003 All rtl components are inverted overall: logical representation: http://AB.CD.EF/GH/IJ/KL?MN=OP;QR=ST#UV visual representation: http://VU#TS=RQ;PO=NM?LK/JI/HG/FE.DC.BA The whole IRI (except the scheme) is read rtl. Delimiters between rtl components stay between the respective components; delimiters between ltr and rtl components don't move. Example 4: Several sequences of rtl components are each inverted on their own: logical representation: http://AB.CD.ef/gh/IJ/KL.html visual representation: http://DC.BA.ef/gh/LK/JI.html Each sequence of rtl components is read rtl, in the same way as each sequence of rtl words in an ltr text is read rtl. Example 5: Example 2, applied to components of different kinds: logical representation: http://ab.cd.EF/GH/ij/kl.html visual representation: http://ab.cd.HG/FE/ij/kl.html The inversion of the domain name label and the path component may be unexpected, but is consistent with other bidi behavior. For reassurance that the domain component really is "ab.cd.EF", it may be helpful to read aloud the visual representation following the bidi algorithm. After "http://ab.cd." one reads the RTL block "E-F-slash- G-H", which corresponds to the logical representation. Example 6: Same as example 5, with more rtl components: logical representation: http://ab.CD.EF/GH/IJ/kl.html visual representation: http://ab.JI/HG/FE.DC/kl.html The inversion of the domain name labels and the path components may be easier to identify because the delimiters also move. Example 7: A single rtl component with included digits: logical representation: http://ab.CDE123FGH.ij/kl/mn/op.html visual representation: http://ab.HGF123EDC.ij/kl/mn/op.html Numbers are written ltr in all cases, but are treated as an additional embedding inside a run of rtl characters. This is completely consistent with usual bidirectional text. Example 8 (not allowed): Numbers at the start or end of a rtl component: logical representation: http://ab.cd.ef/GH1/2IJ/KL.html visual representation: http://ab.cd.ef/LK/JI1/2HG.html The sequence '1/2' is interpreted by the bidi algorithm as a fraction, fragmenting the components and leading to confusion. There are other characters that are interpreted in a special way close to numbers, in particular '+', '-', '#', '$', '%', ',', '.', and ':'. Example 9 (not allowed): The numbers in the previous example are escaped: Duerst & Suignard Expires April 25, 2004 [Page 19] Internet-Draft Internationalized Resource Identifiers October 2003 logical representation: http://ab.cd.ef/GH%31/%32IJ/KL.html, visual representation (Hebrew): http://ab.cd.ef/LK/JI%32/%31HG.html visual representation (Arabic): http://ab.cd.ef/LK/JI32%/31%HG.html Depending on whether the upper-case letters represent Arabic or Hebrew, the visual representation is different. Example 10 (allowed, but not recommended): logical representation: http://ab.CDEFGH.123/kl/mn/op.html visual representation: http://ab.123.HGFEDC/kl/mn/op.html Components consisting of only numbers are allowed (it would be rather difficult to prohibit them), but may interact with adjacent RTL components in ways that are not easy to predict. 5. IRI Equivalence and Comparison This section discusses IRI Equivalence and Comparison similar to Section 6, "Normalization and Comparison", in [RFCYYYY]. This section focuses on the main issues and on aspects that are different from [RFCYYYY]; Section 6 of [RFCYYYY] is recommended background reading. There is no general rule or procedure to decide whether two arbitrary IRIs are equivalent or not (i.e. whether they refer to the same resource or not). Two IRIs that look almost the same may refer to different resources. Two IRIs that look completely different may refer to the same resource. Each specification or application that uses IRIs has to decide on the appropriate criterion for IRI equivalence. 5.1 Simple String Comparison In some scenarios a definite answer to the question of IRI equivalence is needed that is independent of the scheme used and always can be calculated quickly and without accessing a network. An example of such a case is XML Namespaces ([XMLNamespace]). In such cases, two IRIs SHOULD be defined as equivalent if and only if they are character-by-character equivalent. This is the same as being byte-by-byte equivalent if the character encoding for both IRIs is the same. As an example, http://example.org/~user, http://example.org/%7euser, and http://example.org/%7Euser are not equivalent under this definition. In such a case, the comparison function MUST NOT map IRIs to URIs, because such a mapping would create additional spurious equivalences. It follows that IRIs SHOULD NOT be modified when being transported if there is any chance that this IRI might be used as an identifier in the way explained above. Duerst & Suignard Expires April 25, 2004 [Page 20] Internet-Draft Internationalized Resource Identifiers October 2003 5.2 Conversion to URIs For actual resolution, differences in escaping (except for the escaping of reserved characters) MUST always result in the same resource. For example, http://example.org/~user, http://example.org/%7euser and http://example.org/%7Euser must resolve to the same resource. If this kind of equivalence is to be tested, the escaping of both IRIs to be compared has to be aligned, for example by converting both IRIs to URIs (see Section 3.1) and making sure that the case of the hexadecimal characters in the %-escape is always the same (preferably upper case). For comparison, such conversions MUST only be done on the fly, while retaining the original IRI. Additional, similar equivalences are possible based on knowledge about the generic URI/IRI syntax, such as the fact that the scheme part is case-insensitive. 5.3 Normalization The Unicode Standard [UNIV4] defines various equivalences between sequences of characters for various purposes. Unicode Standard Annex #15 [UTR15] defines various Normalization Forms for these equivalences, in particular Normalization Form C (NFC, Canonical Decomposition, followed by Canonical Composition) and Normalization Form KC (NFKC, Compatibility Decomposition, followed by Canonical Composition). Equivalence of IRIs MUST rely on the assumption that IRIs are appropriately pre-normalized, rather than applying normalization when comparing two IRIs. The exceptions are conversion from a non-digital form, and conversion from a non-UCS-based encoding to an UCS-based encoding. In these cases, NFC or a normalizing transcoder using NFC MUST be used for interoperability. To avoid false negatives and problems with transcoding, IRIs SHOULD be created using NFC. Using NFKC may avoid even more problems, for example by choosing half-width Latin letters instead of full-width, and full-width Katakana instead of half-width. As an example, http://www.example.org/résumé.html (in XML Notation) is in NFC. On the other hand, http://www.example.org/ résumé.html is not in NFC. The former uses precombined e-acute characters, the later uses 'e' characters followed by combining acute accents. Both usages are defined to be canonically equivalent in [UNIV4]. Because it is unknow how a particular field is being treated Duerst & Suignard Expires April 25, 2004 [Page 21] Internet-Draft Internationalized Resource Identifiers October 2003 with respect to text normalization, it would be inappropriate to allow third parties to normalize an IRI arbitrarily. This does not contradict the recommendation that when a resource is created, and an IRI for that resource, you try to be as normalized as possible (i.e. NFC or even NFKC). This is similar to the upper-case/lower-case problems in URIs. Some parts of a URI are case-insensitive (domain name). For others, it is unclear whether they are case-sensitive or case- insensitive, or something in between (e.g. case-sensitive, but if the wrong case is used, a multiple choice selection is provided instead of a direct negative result). The best recipe is that the generator uses a reasonable capitalization, and when transfering the URI, that capitalization is never changed. Various IRI schemes may allow the usage of International Domain Names (IDN) [RFC3490]. When in use in IRIs, those names SHOULD be validated using the ToASCII operation defined in [RFC3490], with the flags "UseSTD3ASCIIRules" and "AllowUnassigned". An IRI containing an invalid IDN cannot successfully be resolved. For legibility purposes, IDN components of IRIs SHOULD NOT be converted into ASCII Compatible Encoding (ACE). However, this conversion is applied when mapping an IRI into a URI, see Section 3.1. 5.4 Preferred Forms The following are the preferred forms for IRIs when generated: - Always provide the URI scheme in lowercase characters. - Only perform percent-escaping where it is essential. - Always use uppercase A-through-F characters when percent- escaping. - Always provide the hostname, if any, in the form produced when applying nameprep [RFC3491]. This in particular includes using lowercase characters rather than uppercase characters where applicable. - Where possible, provide IRI components in NFKC or NFC. - Prevent /./ and /../ from appearing in non-relative URI paths. 6. Use of IRIs Duerst & Suignard Expires April 25, 2004 [Page 22] Internet-Draft Internationalized Resource Identifiers October 2003 6.1 Limitations on UCS Characters Allowed in IRIs This section discusses limitations on characters and character sequences usable for IRIs. The considerations in this section are relevant when creating IRIs and when converting from URIs to IRIs. a) The repertoire of characters allowed in each IRI component is limited by the definition of that component. For example, the definition of the scheme component does not allow characters beyond US-ASCII. (Note: In accordance with URI practice, generic IRI software cannot and should not check for such limitations.) b) The UCS contains many areas of characters for which there are strong visual look-alikes. Because of the likelihood of transcription errors, these also should be avoided. This includes the full-width equivalents of ASCII characters, half- width Katakana characters for Japanese, and many others. This also includes many look-alikes of "space", "delims", and "unwise", characters excluded in [RFC3491]. Additional information is available from [UNIXML]. [UNIXML] is written in the context of running text rather than in the context of identifiers. Nevertheless, it discusses many of the categories of characters not appropriate for IRIs. 6.2 Software Interfaces and Protocols Although an IRI is defined as a sequence of characters, software interfaces for URIs typically function on sequences of octets or other kinds of code units. Thus, software interfaces and protocols MUST define which character encoding is used. Intermediate software interfaces between IRI-capable components and URI-only components MUST map the IRIs per Section 3.1, when transferring from IRI-capable to URI-only components. Such a mapping SHOULD be applied as late as possible. It SHOULD NOT be applied between components that are known to be able to handle IRIs. 6.3 Format of URIs and IRIs in Documents and Protocols Document formats that transport URIs may need to be upgraded to allow the transport of IRIs. In those cases where the document as a whole has a native character encoding, IRIs MUST also be encoded in this encoding, and converted accordingly by a parser or interpreter. IRI characters that are not expressible in the native encoding SHOULD be escaped using the escaping conventions of the document format if such Duerst & Suignard Expires April 25, 2004 [Page 23] Internet-Draft Internationalized Resource Identifiers October 2003 conventions are available. Alternatively, they MAY be escaped according to Section 3.1. For example, in HTML or XML, numeric character references SHOULD be used. If a document as a whole has a native character encoding, and that character encoding is not UTF-8, then IRIs MUST NOT be placed into the document in the UTF-8 character encoding. Note: Some formats already accommodate IRIs, although they use different terminology. HTML 4.0 [HTML4] defines the conversion from IRIs to URIs as error-avoiding behavior. XML 1.0 [XML1], XLink [XLink], and XML Schema [XMLSchema] and specifications based upon them allow IRIs. Also, it is expected that all relevant new W3C formats and protocols will be required to handle IRIs [CharMod]. 6.4 Use of UTF-8 for Encoding Original Characters This section discusses details and gives examples for point c) in Section 1.2. In order to be able to use IRIs, the URI corresponding to the IRI in question has to encode original characters into octets using UTF-8. This can be specified for all URIs of a URI scheme, or can apply to individual URIs for schemes that do not specify how to encode original characters. It can apply to the whole URI, or only some part. For new URI schemes, using UTF-8 is recommended in [RFC2718]. Examples where this is already used are the URN syntax [RFC2141], IMAP URLs [RFC2192], and POP URLs [RFC2384]. On the other hand, because the HTTP URL scheme does not specify how to encode original characters, only some HTTP URLs can have corresponding but different IRIs. For example, for a document with a URI of http://www.example.org/r%C3%A9sum%C3%A9.html, it is possible to construct a corresponding IRI (in XML notation, see Section 1.4): http://www.example.org/résumé.html (é stands for the e-acute character, and %C3%A9 is the UTF-8 encoded and escaped representation of that character). On the other hand, for a document with a URI of http://www.example.org/r%E9sum%E9.html, the escaped octets cannot be converted to actual characters in an IRI, because the escaping is not based on UTF-8. The requirement for the use of UTF-8 applies to all parts of a URI, with the exception of the ihostname part. However, it is possible that the capability of IRIs to represent a wide range of characters directly is used just in some parts of the IRI (or IRI reference). The other parts of the IRI may only contain ASCII characters, or they may not be based on UTF-8. They may be based on another encoding, or they may directly encode raw binary data (see also [RFC2397]). Duerst & Suignard Expires April 25, 2004 [Page 24] Internet-Draft Internationalized Resource Identifiers October 2003 For example, it is possible to have a URI reference of http://www.example.org/r%E9sum%E9.xml#r%C3%A9sum%C3%A9, where the document name is encoded in iso-8859-1 based on server settings, but the fragment identifier is encoded in UTF-8 according to [XPointer]. The IRI corresponding to the above URI would be (in XML notation) http://www.example.org/r%E9sum%E9.xml#résumé. Similar considerations apply to query parts. The functionality of IRIs (namely to be able to include non-ASCII characters) can only be used if the query part is encoded in UTF-8. 6.5 Relative IRI References Processing of relative forms of IRIs against a base is handled straightforwardly; the algorithms of [RFCYYYY] can be applied directly, treating the characters additionally allowed in IRIs in the same way as unreserved characters in URIs. 7. URI/IRI Processing Guidelines (informative) This informative section provides guidelines for supporting IRIs in the same software components and operations that currently process URIs: software interfaces that handle URIs, software that allows users to enter URIs, software that generates URIs, software that displays URIs, formats and protocols that transport URIs, and software that interprets URIs. These may all require more or less modification before functioning properly with IRIs. The considerations in this section also apply to URI references and IRI references. 7.1 URI/IRI Software Interfaces Software interfaces that handle URIs, such as URI-handling APIs and protocols transferring URIs, need interfaces and protocol elements that are designed to carry IRIs. In case the current handling in an API or protocol is based on US- ASCII, UTF-8 is recommended as the encoding for IRIs, because this is compatible with US-ASCII, is in accordance with the recommendations of [RFC2277], and makes it easy to convert to URIs where necessary. In any case, the API or protocol definition must clearly define the encoding to be used. The transfer from URI-only to IRI-capable components requires no mapping, although the conversion described in Section 3.2 above may be performed. It is preferable not to perform this inverse conversion when there is a chance that this cannot be done correctly. Duerst & Suignard Expires April 25, 2004 [Page 25] Internet-Draft Internationalized Resource Identifiers October 2003 7.2 URI/IRI Entry There are components that allow users to enter URIs into the system, for example by typing or dictation. This software must be updated to allow for IRI entry. A person viewing a visual representation of an IRI (as a sequence of glyphs, in some order, in some visual display) or hearing an IRI, will use a entry method for characters in the user's language to input the IRI. Depending on the script and the input method used, this may be a more or less complicated process. The process of IRI entry must assure, as far as possible, that the restrictions defined in Section 2.2 are met. This may be done by choosing appropriate input methods or variants/settings thereof, by appropriately converting the characters being input, by eliminating characters that cannot be converted, and/or by issuing a warning or error message to the user. As an example of variant settings, input method editors for East Asian Languages usually allow the input of Latin letters and related characters in full-width or half-width versions. For IRI input, the input method editor should be set so that it produces half-width Latin letters, and full-width Katakana. An input field primarily or only used for the input of URIs/IRIs may allow the user to view an IRI as mapped to a URI. Places where the input of IRIs is frequent may provide the possibility for viewing an IRI as mapped to a URI. This will help users when some of the software they use does not yet accept IRIs. An IRI input component that interfaces to components that handle URIs, but not IRIs, must map the IRI to a URI before passing it to such a component. For the input of IRIs with right-to-left characters, please see Section 4.3. 7.3 URI/IRI Transfer Between Applications Many applications, in particular many mail user agents, try to detect URIs appearing in plain text. For this, they use some heuristics based on URI syntax. They then allow the user to click on such URIs and retrieve the corresponding resource in an appropriate (usually scheme-dependent) application. Such applications have to be upgraded to use the IRI syntax rather than the URI syntax as a base for heuristics. In particular, a non- Duerst & Suignard Expires April 25, 2004 [Page 26] Internet-Draft Internationalized Resource Identifiers October 2003 ASCII character should not be taken as the indication of the end of an IRI. Such applications also have to make sure that they correctly convert the detected IRI from the encoding of the document or application where the IRI appears to the encoding used by the system- wide IRI invocation mechanism, or to a URI (according to Section 3.1) if the system-wide invocation mechanism only accepts URIs. The clipboard is another frequently used way to transfer URIs and IRIs from one application to another. On most platforms, the clipboard is able to store and transfer text in many languages and scripts. Correctly used, the clipboard transfers characters, not bytes, which will do the right thing with IRIs. 7.4 URI/IRI Generation Systems that offer resources through the Internet, where those resources have logical names, sometimes automatically generate URIs for the resources they offer. For example, some HTTP servers can generate a directory listing for a file directory, and then respond to the generated URIs with the files. Many legacy character encodings are in use in various file systems. Many currently deployed systems do not transform the local character representation of the underlying system before generating URIs. For maximum interoperability, systems that generate resource identifiers should do the appropriate transformations. For example, if a file system contains a file named résumé.html, a server should expose this as r%C3%A9sum%C3%A9.html in a URI, which allows to use résumé.html in an IRI, even if the file name locally is kept in an encoding other than UTF-8. This recommendation in particular applies to HTTP servers. For FTP servers, similar considerations apply, see in particular [RFC2640]. 7.5 URI/IRI Selection In some cases, resource owners and publishers have control over the IRIs used to identify their resources. Such control is mostly executed by controlling the resource names, such as file names, directly. In such cases, it is recommended to avoid choosing IRIs that are easily confused. For example, for US-ASCII, the lower-case ell "l" is easily confused with the digit one "1", and the upper-case oh "O" is easily confused with the digit zero "0". Publishers should avoid confusing users with "br0ken" or "1ame" identifiers. Duerst & Suignard Expires April 25, 2004 [Page 27] Internet-Draft Internationalized Resource Identifiers October 2003 Outside of the US-ASCII range, there are many more opportunities for confusion; a complete set of guidelines is too lengthy to include here. As long as names are limited to characters from a single script, native writers of a given script or language will know best when ambiguities can appear, and how they can be avoided. What may look ambiguous to a stranger may be completely obvious to the average native user. On the other hand, in some cases, the UCS contains variants for compatibility reasons, for example for typographic purposes. These should be avoided wherever possible. Although there may be exceptions, in general newly created resource names should be in NFKC [UTR15] (which means that they are also in NFC). As an example, the UCS contains the 'fi' ligature at U+FB01 for compatibility reasons. Wherever possible, IRIs should use the two letters 'f' and 'i' rather than the 'fi' ligature. An example where the latter may be used is in the query part of an IRI for an explicit search for a word written containing the 'fi' ligature. In certain cases, there is a chance that characters from different scripts look the same. The best known example is the Latin 'A', the Greek 'Alpha', and the Cyrillic 'A'. To avoid such cases, only IRIs should be generated where all the characters in a single component are used together in a given language. This usually means that all these characters will be from the same script, but there are languages that mix characters from different scripts (such as Japanese). This is similar to the heuristics used to distinguish between letters and numbers in the examples above. Also, for Latin, Greek, and Cyrillic, using lower-case letters results in fewer ambiguities than using upper-case letters. 7.6 Display of URIs/IRIs In situations where the rendering software is not expected to display non-ASCII parts of the IRI correctly using the available layout and font resources, these parts should be escaped before being displayed. For display of Bidi IRIs, please see Section 4.1. 7.7 Interpretation of URIs and IRIs Software that interprets IRIs as the names of local resources should accept IRIs in multiple forms, and convert and match them with the appropriate local resource names. First, multiple representations include both IRIs in the native character encoding of the protocol and also their URI counterparts. Second, it may include URIs constructed based on other character Duerst & Suignard Expires April 25, 2004 [Page 28] Internet-Draft Internationalized Resource Identifiers October 2003 encodings than UTF-8. Such URIs may be produced by user agents that do not conform to this specification and use legacy encodings to convert non-ASCII characters to URIs. Whether this is necessary and what character encodings to cover, depends on a number of factors, such as the legacy character encodings used locally and the distribution of various versions of user agents. For example, software for Japanese may accept URIs in Shift_JIS and/or EUC-JP in addition to UTF-8. Third, it may include additional mappings to be more user-friendly and robust against transmission errors. These would be similar to how currently some servers treat URIs as case-insensitive, or perform additional matching to account for spelling errors. For characters beyond the ASCII repertoire, this may for example include ignoring the accents on received IRIs or resource names where appropriate. Please note that such mappings, including case mappings, are language-dependent. It can be difficult to unambiguously identify a resource if too many mappings are taken into consideration. However, escaped and non- escaped parts of IRIs can always clearly be distinguished. Also, the regularity of UTF-8 (see [Duerst97]) makes the potential for collisions lower than it may seem at first sight. 7.8 Upgrading Strategy Where this recommendation places further constraints on software for which many instances are already deployed, it is important to introduce upgrades carefully, and to be aware of the various interdependencies. If IRIs cannot be interpreted correctly, they should not be generated or transported. This suggests that upgrading URI interpreting software to accept IRIs should have highest priority. On the other hand, a single IRI is interpreted only by a single or very few interpreters that are known in advance, while it may be entered and transported very widely. Therefore, IRIs benefit most from a broad upgrade of software to be able to enter and transport IRIs, but before publishing any individual IRI, care should be taken to upgrade the corresponding interpreting software in order to cover the forms expected to be received by various versions of entry and transport software. The upgrade of generating software to generate IRIs instead of a local encoding should happen only after the service is upgraded to accept IRIs. Similarly, IRIs should only be generated when the Duerst & Suignard Expires April 25, 2004 [Page 29] Internet-Draft Internationalized Resource Identifiers October 2003 service accepts IRIs and the intervening infrastructure and protocol is known to transport them safely. Display software should be upgraded only after upgraded entry software has been widely deployed to the population that will see the displayed result. These recommendations, when taken together, will allow for the extension from URIs to IRIs in order to handle scripts other than ASCII while minimizing interoperability problems. 8. Security Considerations Incorrect escaping or unescaping can lead to security problems. In particular, some UTF-8 decoders do not check against overlong byte sequences. As an example, a '/' is encoded with the byte 0x2F both in UTF-8 and in ASCII, but some UTF-8 decoders also wrongly interpret the sequence 0xC0 0xAF as a '/'. A sequence such as '%C0%AF..' may pass some security tests and then be interpreted as '/..' in a path if UTF-8 decoders are fault-tolerant, if conversion and checking are not done in the right order, and/or if reserved characters and unreserved characters are not clearly distinguished. There are various ways in which "spoofing" can occur with IRIs. "Spoofing" means that somebody may add a resource name that looks the same or similar to the user, but points to a different resource. The added resource may pretend to be the real resource by looking very similar, but may contain all kinds of changes that may be difficult to spot and can cause all kinds of problems. Most spoofing possibilities for IRIs are extensions of those for URIs. Spoofing can occur for various reasons. A first reason is that normalization expectations of a user or actual normalization when entering an IRI, or when transcoding an IRI from a legacy encoding, do not match the normalization used on the server side. Conceptually, this is no different from the problems surrounding the use of case-insensitive web servers. For example, a popular web page with a mixed case name (http://big.site/PopularPage.html) might be "spoofed" by someone who is able to create http://big.site/ popularpage.html. However, the introduction of character normalization, and of additional mappings for user convenience, may increase the chance for spoofing. Protocols and servers that allow the creation of resources with unnormalized names, and resources with names that are not normalized, are particularly vulnerable to such attacks. This is an inherent security problem of the relevant protocol, server, or resource, and not specific to IRIs, but mentioned here for completeness. Duerst & Suignard Expires April 25, 2004 [Page 30] Internet-Draft Internationalized Resource Identifiers October 2003 Spoofing can occur in various IRI components, such as the domain name part or a path part. For considerations specific to the domain name part, see [RFC3491]. For the path part, administrators of sites which allow independent users to create resources in the same subarea may need to be careful to check for spoofing. Spoofing can occur because in the UCS, there are many characters that look very similar. Details are discussed in Section 7.5. Again, this is very similar to spoofing possibilities on US-ASCII, e.g. using 'br0ken' or '1ame' URIs. Spoofing can occur when URIs in various encodings are accepted to deal with older user agents. In some cases, in particular for Latin- based resource names, this is usually easy to detect because UTF-8- encoded names, when interpreted and viewed as legacy encodings, produce mostly garbage. In other cases, when concurrently used encodings have a similar structure, but there are no characters that have exactly the same encoding, detection is more difficult. Spoofing can occur with bidirectional IRIs, if the restrictions in Section 4.2 are not followed. The same visual representation may be interpreted as different logical representations, and vice versa. It is also very important that a correct Unicode bidirectional implementation is used. 9. Acknowledgements We would like to thank Larry Masinter for his work as coauthor of many earlier versions of this document (draft-masinter-url-i18n-xx). The discussion on the issue addressed here has started a long time ago. There was a thread in the HTML working group in August 1995 (under the topic of "Globalizing URIs") and in the www-international mailing list in July 1996 (under the topic of "Internationalization and URLs"), and ad-hoc meetings at the Unicode conferences in September 1995 and September 1997. Thanks to Francois Yergeau, Matti Allouche, Roy Fielding, Tim Berners-Lee, Mark Davis, M.T. Carrasco Benitez, James Clark, Tim Bray, Chris Wendt, Yaron Goland, Andrea Vine, Misha Wolf, Leslie Daigle, Ted Hardie, Makoto MURATA, Steven Atkin, Ryan Stansifer, Tex Texin, Graham Klyne, Bjoern Hoehrmann, Chris Lilley, Ian Jacobs, Adam Costello, Dan Oscarson, Elliotte Rusty Harold, Mike J. Brown, Andrea Vine, Roy Badami, Simon Josefsson, Carlos Viegas Damasio, and many others for help with understanding the issues and possible solutions, and getting the details right. Thanks also to the members of the W3C I18N Working Group and Interest Group for their contributions and their work on [CharMod], to the members of many other W3C WGs for Duerst & Suignard Expires April 25, 2004 [Page 31] Internet-Draft Internationalized Resource Identifiers October 2003 adopting the ideas, and to the members of the Montreal IAB Workshop on Internationalization and Localization for their review. Normative References [ISO10646] International Organization for Standardization, "Information Technology - Universal Multiple-Octet Coded Character Set (UCS) - Part 1: Architecture and Basic Multilingual Plane - Part 2: Supplementary Planes", ISO Standard 10646, with amendment, July 2002. [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997. [RFC3490] Faltstrom, P., Hoffman, P. and A. Costello, "Internationalizing Domain Names in Applications (IDNA)", RFC 3490, March 2003, . [RFC3491] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)", RFC 3491, March 2003. [RFCXXXX] Yergeau, F., "UTF-8, a transformation format of ISO 10646", draft-yergeau-rfc2279bis-05.txt (work in progress), June 2003, . [RFCYYYY] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", draft- fielding-uri-rfc2396bis-03.txt (work in progress), June 2003. [UTR15] Davis, M. and M. Duerst, "Unicode Normalization Forms", Unicode Standard Annex #15, March 2001, . Non-normative References [BidiEx] "Examples of bidirectional IRIs", . [CharMod] Duerst, M., Yergeau, F., Ishida, R., Wolf, M. and T. Texin, "Character Model for the World Wide Web", World Wide Web Consortium Working Draft, August 2003, . [Duerst97] Duerst, M., "The Properties and Promises of UTF-8", Duerst & Suignard Expires April 25, 2004 [Page 32] Internet-Draft Internationalized Resource Identifiers October 2003 Proc. 11th International Unicode Conference, San Jose , September 1997, . [Duerst01] Duerst, M., "Internationalized Resource Identifiers: From Specification to Testing", Proc. 19th International Unicode Conference, San Jose , September 2001, . [Gettys] Gettys, J., "URI Model Consequences", . [HTML4] Raggett, D., Le Hors, A. and I. Jacobs, "HTML 4.01 Specification", World Wide Web Consortium Recommendation, December 1999, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2130] Weider, C., Preston, C., Simonsen, K., Alvestrand, H., Atkinson, R., Crispin, M. and P. Svanberg, "The Report of the IAB Character Set Workshop held 29 February - 1 March, 1996", RFC 2130, April 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. [RFC2192] Newman, C., "IMAP URL Scheme", RFC 2192, September 1997. [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998. [RFC2384] Gellens, R., "POP URL Scheme", RFC 2384, August 1998. [RFC2396] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. [RFC2397] Masinter, L., "The "data" URL scheme", RFC 2397, August 1998. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Duerst & Suignard Expires April 25, 2004 [Page 33] Internet-Draft Internationalized Resource Identifiers October 2003 [RFC2640] Curtin, B., "Internationalization of the File Transfer Protocol", RFC 2640, July 1999. [RFC2718] Masinter, L., Alvestrand, H., Zigmond, D. and R. Petke, "Guidelines for new URL Schemes", RFC 2718, November 1999. [UNIV4] The Unicode Consortium, "The Unicode Standard, Version 4.0", Addison-Wesley, Reading, MA , 2003. [UNI9] Davis, M., "The Bidirectional Algorithm", Unicode Standard Annex #9, March 2002, . [UNIXML] Duerst, M. and A. Freytag, "Unicode in XML and other Markup Languages", Unicode Technical Report #20, World Wide Web Consortium Note, February 2002, . [W3CIRI] Duerst, M., "Internationalization - URIs and other identifiers", World Wide Web Consortium Note, September 2002, . [XLink] DeRose, S., Maler, E. and D. Orchard, "XML Linking Language (XLink) Version 1.0", World Wide Web Consortium Recommendation, June 2001, . [XML1] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler, "Extensible Markup Language (XML) 1.0 (Second Edition)", World Wide Web Consortium Recommendation, including Erratum 26 at http://www.w3.org/XML/xml- V10-2e-errata#E26, October 2000, . [XMLNamespace] Bray, T., Hollander, D. and A. Layman, "Namespaces in XML", World Wide Web Consortium Recommendation, January 1999, . [XMLSchema] Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes", World Wide Web Consortium Recommendation, May 2001, . [XPointer] Grosso, P., Maler, E., Marsh, J. and N. Walsh, "XPointer Framework", World Wide Web Consortium Recommendation, March 2003, . Authors' Addresses Martin Duerst (Note: Please write "Duerst" with u-umlaut wherever possible, for example as "Dürst in XML and HTML.) World Wide Web Consortium 200 Technology Square Cambridge, MA 02139 U.S.A. Phone: +1 617 253 5509 Fax: +1 617 258 5999 EMail: mailto:duerst@w3.org URI: http://www.w3.org/People/D%C3%BCrst/ (Note: This is the escaped form of an IRI.) Michel Suignard Microsoft Corporation One Microsoft Way Redmond, WA 98052 U.S.A. Phone: +1 425 882-8080 EMail: mailto:michelsu@microsoft.com URI: http://www.suignard.com Duerst & Suignard Expires April 25, 2004 [Page 35] Internet-Draft Internationalized Resource Identifiers October 2003 Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Duerst & Suignard Expires April 25, 2004 [Page 36]