The standards for Internationalized Domain Names in Applications (IDNA) require a review of each new version of Unicode to determine whether incompatibilities with prior versions or other issues exist and, where appropriate, to allow the IETF to decide on the trade-offs between compatibility with prior IDNA versions and compatibility with Unicode going forward. That requirement, and its relationship to tables maintained by IANA, has caused significant confusion in the past. This document makes adjustments to the review procedure based on experience and updates IDNA, specifically RFC 5892, to reflect those changes and to clarify the various relationships involved. It also makes other minor adjustments to align that document with experience.

This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8753.

Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

The standards for Internationalized Domain Names in Applications (IDNA) require a review of each new version of Unicode to determine whether incompatibilities with prior versions or other issues exist and, where appropriate, to allow the IETF to decide on the trade-offs between compatibility with prior IDNA versions and compatibility with Unicode [Unicode] going forward. That requirement, and its relationship to tables maintained by IANA, has caused significant confusion in the past (see Section 3 and Section 4 for additional discussion of the question of appropriate decisions and the history of these reviews). This document makes adjustments to the review procedure based on nearly a decade of experience and updates IDNA, specifically the document that specifies the relationship between Unicode code points and IDNA derived properties [RFC 5892], to reflect those changes and to clarify the various relationships involved. This specification does not change the requirement that registries at all levels of the DNS tree take responsibility for the labels they insert in the DNS, a level of responsibility that requires allowing only a subset of the code points and strings allowed by the IDNA protocol itself. That requirement is discussed in more detail in a companion document [RegRestr]. Terminology note: In this document, "IDNA" refers to the current version as described in [RFC 5890] and subsequent documents and sometimes known as "IDNA2008". Distinctions between it and the earlier version are explicit only where they are necessary for understanding the relationships involved, e.g., in Section 2.

The original, now-obsolete, version of IDNA, commonly known as "IDNA2003" [RFC 3490] [RFC 3491], was defined in terms of a profile of a collection of IETF-specific tables [RFC 3454] that specified the usability of each Unicode code point with IDNA. Because the tables themselves were normative, they were intrinsically tied to a particular version of Unicode. As Unicode evolved, the IDNA2003 standard would have required the creation of a new profile for each new version of Unicode, or the tables would have fallen further and further behind. When IDNA2003 was superseded by the current version, known as IDNA2008 [RFC 5890], a different strategy, one that was property-based rather than table-based, was adopted for a number of reasons, of which the reliance on normative tables was not dominant [RFC 4690]. In the IDNA2008 model, the use of normative tables was replaced by a set of procedures and rules that operated on Unicode properties [Unicode-properties] and a few internal definitions to determine the category and status, and hence an IDNA-specific "derived property", for any given code point. Those rules are, in principle, independent of Unicode versions. They can be applied to any version of Unicode, at least from approximately version 5.0 forward, to yield an appropriate set of derived properties. However, the working group that defined IDNA2008 recognized that not all of the Unicode properties were completely stable and that, because the criteria for new code points and property assignment used by the Unicode Consortium might not precisely align with the needs of IDNA, there were possibilities of incompatible changes to the derived property values. More specifically, there could be changes that would make previously disallowed labels valid, previously valid labels disallowed, or that would be disruptive to IDNA's defining rule structure. Consequently, IDNA2008 provided for an expert review of each new version of Unicode with the possibility of providing exceptions to the rules for particular new code points, code points whose properties had changed, and newly discovered issues with the IDNA2008 collection of rules. When problems were identified, the reviewer was expected to notify the IESG. The assumption was that the IETF would review the situation and modify IDNA2008 as needed, most likely by adding exceptions to preserve backward compatibility (see Section 3.1). For the convenience of the community, IDNA2008 also provided that IANA would maintain copies of calculated tables resulting from each review, showing the derived properties for each code point. Those tables were expected to be helpful, especially to those without the facilities to easily compute derived properties themselves. Experience with the community and those tables has shown that they have been confused with the normative tables of IDNA2003: the IDNA2008 tables published by IANA have never been normative, and statements about IDNA2008 being out of date with regard to some Unicode version because the IANA tables have not been updated are incorrect or meaningless.

While the text has sometimes been interpreted differently, IDNA2008 actually calls for two types of review when a new Unicode version is introduced. One is an algorithmic comparison of the set of derived properties calculated from the new version of Unicode to the derived properties calculated from the previous one to determine whether incompatible changes have occurred. The other is a review of newly assigned code points to determine whether any of them require special treatment (e.g., assignment of what IDNA2008 calls contextual rules) and whether any of them violate any of the assumptions underlying the IDNA2008 derived property calculations. Any of the cases of either review might require either per-code point exceptions or other adjustments to the rules for deriving properties that are part of RFC 5892. The subsections below provide a revised specification for the review procedure. Unless the IESG or the designated expert team concludes that there are special problems or unusual circumstances, these reviews will be performed only for major Unicode versions (those numbered NN.0, e.g., 12.0) and not for minor updates (e.g., 12.1). As can be seen in the detailed descriptions in the following subsections, proper review will require a team of experts that has both broad and specific skills in reviewing Unicode characters and their properties in relation to both the written standards and operational needs. The IESG will need to appoint experts who can draw on the broader community to obtain the necessary skills for particular situations. See the IANA Considerations (Section 7) for details.

Section 5.1 of RFC 5892 is the description of the process for creating the initial IANA tables. It is noteworthy that, while it can be read as strongly implying new reviews and new tables for versions of Unicode after 5.2, it does not explicitly specify those reviews or, e.g., the timetable for completing them. It also indicates that incompatibilities are to be "flagged for the IESG" but does not specify exactly what the IESG is to do about them and when. For reasons related to the other type of review and discussed below, only one review was completed, documented [RFC 6452], and a set of corresponding new tables installed. That review, which was for Unicode 6.0, found only three incompatibilities; the consensus was to ignore them (not create exceptions in IDNA2008) and to remain consistent with computations based on current (Unicode 6.0) properties rather than preserving backward compatibility within IDNA. The 2018 review (for Unicode 11.0 and versions in between it and 6.0) [IDNA-Unicode12] also concluded that Unicode compatibility, rather than IDNA backward compatibility, should be maintained. That decision was partially driven by the long period between reviews and the concern that table calculations by others in the interim could result in unexpected incompatibilities if derived property definitions were then changed. See Section 4 for further discussion of these preferences.

The second type of review, which is not clearly explained in RFC 5892, is intended to identify cases in which newly added or recently discovered problematic code points violate the design assumptions of IDNA, to identify defects in those assumptions, or to identify inconsistencies (from an IDNA perspective) with Unicode commitments about assignment, properties, and stability of newly added code points. One example of this type of review was the discovery of new code points after Unicode 7.0 that were potentially visually equivalent, in the same script, to previously available code point sequences [IAB-Unicode7-2015] [IDNA-Unicode7]. Because multiple perspectives on Unicode and writing systems are required, this review will not be successful unless it is done by a team. Finding one all-knowing expert is improbable, and a single expert is unlikely to produce an adequate analysis. Rather than any single expert being the sole source of analysis, the designated expert (DE) team needs to understand that there will always be gaps in their knowledge, to know what they don't know, and to work to find the expertise that each review requires. It is also important that the DE team maintains close contact with the Area Directors (ADs) and that the ADs remain aware of the team's changing needs, examining and adjusting the team's membership over time, with periodic reexamination at least annually. It should also be recognized that, if this review identifies a problem, that problem is likely to be complex and/or involve multiple trade-offs. Actions to deal with it are likely to be disruptive (although perhaps not to large communities of users), or to leave security risks (opportunities for attacks and inadvertent confusion as expected matches do not occur), or to cause excessive reliance on registries understanding and taking responsibility for what they are registering [RFC 5894] [RegRestr]. The latter, while a requirement of IDNA, has often not worked out well in the past. Because resolution of problems identified by this part of the review may take some time even if that resolution is to add additional contextual rules or to disallow one or more code points, there will be cases in which it will be appropriate to publish the results of the algorithmic review and to provide IANA with corresponding tables, with warnings about code points whose status is uncertain until there is IETF consensus about how to proceed. The affected code points should be considered unsafe and identified as "under review" in the IANA tables until final derived properties are assigned.

At the time the IDNA2008 documents were written, the assumption was that, if new versions of Unicode introduced incompatible changes, the Standard would be updated to preserve backward compatibility for users of IDNA. For most purposes, this would be done by adding to the table of exceptions associated with Rule G [RFC5892a]. This has not been the practice in the reviews completed subsequent to Unicode 5.2, as discussed in Section 3. Incompatibilities were identified in Unicode 6.0 [RFC 6452] and in the cumulative review leading to tables for Unicode 11.0 [IDNA-Unicode11]. In all of those cases, the decision was made to maintain compatibility with Unicode properties rather than with prior versions of IDNA. If an algorithmic review detects changes in Unicode after version 12.0 that would break compatibility with derived properties associated with prior versions of Unicode or changes that would preserve compatibility within IDNA at the cost of departing from current Unicode specifications, those changes must be captured in documents expected to be published as Standards Track RFCs so that the IETF can review those changes and maintain a historical record. The community has now made decisions and updated tables for Unicode 6.0 [RFC 6452], done catch-up work between it and Unicode 11.0 [IDNA-Unicode11], and completed the review and tables for Unicode 12.0 [IDNA-Unicode12]. The decisions made in those cases were driven by preserving consistency with Unicode and Unicode property changes for reasons most clearly explained by the IAB [IAB-Unicode-2018]. These actions were not only at variance with the language in RFC 5892 but were also inconsistent with commitments to the registry and user communities to ensure that IDN labels that were once valid under IDNA2008 would remain valid, and previously invalid labels would remain invalid, except for those labels that were invalid because they contained unassigned code points. This document restores and clarifies that original language and intent: absent extremely strong evidence on a per-code point basis that preserving the validity status of possible existing (or prohibited) labels would cause significant harm, Unicode changes that would affect IDNA derived properties are to be reflected in IDNA exceptions that preserve the status of those labels. There is one partial exception to this principle. If the new code point analysis (see Section 3.2) concludes that some code points or collections of code points should be further analyzed, those code points, and labels including them, should be considered unsafe and used only with extreme caution because the conclusions of the analysis may change their derived property values and status.

As discussed above, RFC 5892 specified that derived property tables be provided via an IANA registry. Perhaps because most IANA registries are considered normative and authoritative, that registry has been the source of considerable confusion, including the incorrect assumption that the absence of published tables for versions of Unicode later than 6.0 meant that IDNA could not be used with later versions. That position was raised in multiple ways, not all of them consistent, especially in the ICANN context [ICANN-LGR-SLA]. If the changes specified in this document are not successful in significantly mitigating the confusion about the status of the tables published by IANA, serious consideration should be given to eliminating those tables entirely.

This section updates RFC 5892 to provide fixes for known applicable errata and omissions. In particular, verified RFC Editor Erratum 3312 [Err3312] provides a clarification to Appendix A and A.1 in RFC 5892. That clarification is incorporated below.

1. In Appendix A, add a new paragraph after the paragraph that begins "The code point...". The new paragraph should read:

   ---

   For the rule to be evaluated to True for the label, it MUST be evaluated separately for every occurrence of the code point in the label; each of those evaluations must result in True.

   ---
2. In Appendix A.1, replace the "Rule Set" by

        Rule Set:
          False;
          If Canonical_Combining_Class(Before(cp)) .eq. Virama
                Then True;
          If cp .eq. \u200C And
                 RegExpMatch((Joining_Type:{L,D})(Joining_Type:T)*cp
            (Joining_Type:T)*(Joining_Type:{R,D})) Then True;

For the algorithmic review described in Section 3.1, the IESG is to appoint a designated expert [RFC 8126] with appropriate expertise to conduct the review and to supply derived property tables to IANA. As provided in Section 5.2 of RFC 8126, the designated expert is expected to consult additional sources of expertise as needed. For the code point review, the expertise will be supplied by an IESG-designated expert team as discussed in Section 3.2 and Appendix B. In both cases, the experts should draw on the expertise of other members of the community as needed. In particular, and especially if there is no overlap of the people holding the various roles, coordination with the IAB-appointed liaison to the Unicode Consortium will be essential to mitigate possible errors due to confusion. As discussed in Section 5, IANA has modified the IDNA tables collection [IANA-IDNA-Tables] by identifying them clearly as non-normative, so that a "current" or "correct" version of those tables is not implied, and by pointing to this document for an explanation. IANA has published tables supplied by the IETF for all Unicode versions through 11.0, retaining all older versions and making them available. Newer tables will be constructed as specified in this document and then made available by IANA. IANA has changed the title of that registry from "IDNA Parameters", which is misleading, to "IDNA Rules and Derived Property Values". The "Note" in that registry says:

---

---

As long as the intent is preserved, the text of that note may be changed in the future at IANA's discretion. IANA's attention is called to the introduction, in Section 3.2, of a temporary "under review" category to the PVALID, DISALLOWED, etc., entries in the tables.

Applying the procedures described in this document and understanding of the clarifications it provides should reduce confusion about IDNA requirements. Because past confusion has provided opportunities for bad behavior, the effect of these changes should improve Internet security to at least some small extent. Because of the preference to keep the derived property value stable (as specified in RFC 5892 and discussed in Section 4), the algorithm used to calculate those derived properties does change as explained in Section 3. If these changes are not taken into account, the derived property value will change, and the implications might have negative consequences, in some cases with security implications. For example, changes in the calculated derived property value for a code point from either DISALLOWED to PVALID or from PVALID to DISALLOWED can cause changes in label interpretation that would be visible and confusing to end users and might enable attacks.

[IANA-IDNA-Tables]

IANA, "IDNA Rules and Derived Property Values",
<https://www.iana.org/assignments/idna-tables>.

[RFC5892]

P. Faltstrom, "The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)", RFC 5892, DOI 10.17487/RFC5892, August 2010,
<https://www.rfc-editor.org/info/rfc5892>.

[RFC5892a]

P. Faltstrom, "The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)", RFC 5892, August 2010,
<https://www.rfc-editor.org/rfc/rfc5892.txt>.

[RFC8126]

M. Cotton, B. Leiba, and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.

[Unicode]

The Unicode Consortium, "The Unicode Standard (Current Version)",
<http://www.unicode.org/versions/latest/>.

[Unicode-properties]

The Unicode Consortium, "The Unicode Standard Version 11.0", 2018,
<https://www.unicode.org/versions/Unicode11.0.0/>.

[Err3312]

RFC Errata, "Erratum ID 3312",
<https://www.rfc-editor.org/errata/eid3312>.

[IAB-Unicode-2018]

Internet Architecture Board (IAB), "IAB Statement on Identifiers and Unicode", March 2018,
<https://www.iab.org/documents/correspondence-reports-documents/2018-2/iab-statement-on-identifiers-and-unicode/>.

[IAB-Unicode7-2015]

Internet Architecture Board (IAB), "IAB Statement on Identifiers and Unicode 7.0.0", February 2015,
<https://www.iab.org/documents/correspondence-reports-documents/2015-2/iab-statement-on-identifiers-and-unicode-7-0-0/>.

[ICANN-LGR-SLA]

Internet Corporation for Assigned Names and Numbers (ICANN), "Proposed IANA SLAs for Publishing LGRs/IDN Tables", June 2019,
<https://www.icann.org/public-comments/proposed-iana-sla-lgr-idn-tables-2019-06-10-en>.

[IDNA-Unicode7]

J Klensin, and P Faltstrom, "IDNA Update for Unicode 7.0 and Later Versions", Internet-Draft draft-klensin-idna-5892upd-unicode70-05, October 2017,
<https://tools.ietf.org/html/draft-klensin-idna-5892upd-unicode70-05>.

[IDNA-Unicode11]

P Faltstrom, "IDNA2008 and Unicode 11.0.0", Internet-Draft draft-faltstrom-unicode11-08, March 2019,
<https://tools.ietf.org/html/draft-faltstrom-unicode11-08>.

[IDNA-Unicode12]

P Faltstrom, "IDNA2008 and Unicode 12.0.0", Internet-Draft draft-faltstrom-unicode12-00, March 2019,
<https://tools.ietf.org/html/draft-faltstrom-unicode12-00>.

[RegRestr]

J Klensin, and A Freytag, "Internationalized Domain Names in Applications (IDNA): Registry Restrictions and Recommendations", Internet-Draft draft-klensin-idna-rfc5891bis-05, August 2019,
<https://tools.ietf.org/html/draft-klensin-idna-rfc5891bis-05>.

[RFC1766]

H. Alvestrand, "Tags for the Identification of Languages", RFC 1766, DOI 10.17487/RFC1766, March 1995,
<https://www.rfc-editor.org/info/rfc1766>.

[RFC3282]

H. Alvestrand, "Content Language Headers", RFC 3282, DOI 10.17487/RFC3282, May 2002,
<https://www.rfc-editor.org/info/rfc3282>.

[RFC3454]

P. Hoffman, and M. Blanchet, "Preparation of Internationalized Strings ("stringprep")", RFC 3454, DOI 10.17487/RFC3454, December 2002,
<https://www.rfc-editor.org/info/rfc3454>.

[RFC3490]

P. Faltstrom, P. Hoffman, and A. Costello, "Internationalizing Domain Names in Applications (IDNA)", RFC 3490, DOI 10.17487/RFC3490, March 2003,
<https://www.rfc-editor.org/info/rfc3490>.

[RFC3491]

P. Hoffman, and M. Blanchet, "Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)", RFC 3491, DOI 10.17487/RFC3491, March 2003,
<https://www.rfc-editor.org/info/rfc3491>.

[RFC3629]

F. Yergeau, "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003,
<https://www.rfc-editor.org/info/rfc3629>.

[RFC4690]

IAB, J. Klensin, P. Faltstrom, and C. Karp, "Review and Recommendations for Internationalized Domain Names (IDNs)", RFC 4690, DOI 10.17487/RFC4690, September 2006,
<https://www.rfc-editor.org/info/rfc4690>.

[RFC5646]

A. Phillips, and M. Davis, "Tags for Identifying Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, September 2009,
<https://www.rfc-editor.org/info/rfc5646>.

[RFC5890]

J. Klensin, "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>.

[RFC5894]

J. Klensin, "Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale", RFC 5894, DOI 10.17487/RFC5894, August 2010,
<https://www.rfc-editor.org/info/rfc5894>.

[RFC6452]

P. Faltstrom, and P. Hoffman, "The Unicode Code Points and Internationalized Domain Names for Applications (IDNA) - Unicode 6.0", RFC 6452, DOI 10.17487/RFC6452, November 2011,
<https://www.rfc-editor.org/info/rfc6452>.

Other than the editorial correction specified in Section 6, all of the changes in this document are concerned with the reviews for new versions of Unicode and with the IANA Considerations in Section 5 of RFC 5892, particularly Section 5.1 of RFC 5892. Whether the changes are substantive or merely clarifications may be somewhat in the eye of the beholder, so the list below should not be assumed to be comprehensive. At a very high level, this document clarifies that two types of review were intended and separates them for clarity. This document also restores the original (but so far unobserved) default for actions when code point derived properties change. For this reason, this document effectively replaces Section 5.1 of RFC 5892 and adds or changes some text so that the replacement makes better sense. Changes or clarifications that may be considered important include:

• Separated the new Unicode version review into two explicit parts and provided for different review methods and, potentially, asynchronous outcomes.
• Specified a DE team, not a single designated expert, for the code point review.
• Eliminated the de facto requirement for the (formerly single) designated expert to be the same person as the IAB's liaison to the Unicode Consortium, but called out the importance of coordination.
• Created the "Status" field in the IANA tables to inform the community about specific potentially problematic code points. This change creates the ability to add information about such code points before IETF review is completed instead of having the review process hold up the use of the new Unicode version.
• In part because Unicode is now on a regular one-year cycle rather than producing major and minor versions as needed, to avoid overloading the IETF's internationalization resources, and to avoid generating and storing IANA tables for trivial changes (e.g., the single new code point in Unicode 12.1), the review procedure is applied only to major versions of Unicode unless exceptional circumstances arise and are identified.

The expert review procedure for new code point analysis described in Section 3.2 is somewhat unusual compared to the examples presented in the Guidelines for Writing IANA Considerations [RFC 8126]. This appendix explains that choice and provides the background for it. Development of specifications to support use of languages and writing systems other than English (and Latin script) -- so-called "internationalization" or "i18n" -- has always been problematic in the IETF, especially when requirements go beyond simple coding of characters (e.g., [RFC 3629]) or simple identification of languages (e.g., [RFC 3282] and the earlier [RFC 1766]). A good deal of specialized knowledge is required, knowledge that comes from multiple fields and that requires multiple perspectives. The work is not obviously more complex than routing, especially if one assumes that routing work requires a solid foundation in graph theory or network optimization, or than security and cryptography, but people working in those areas are drawn to the IETF and people from the fields that bear on internationalization typically are not. As a result, we have often thought we understood a problem, generated a specification or set of specifications, but then have been surprised by unanticipated (by the IETF) issues. We then needed to tune and often revise our specification. The language tag work that started with RFC 1766 is a good example of this: broader considerations and requirements led to later work and a much more complex and finer-grained system [RFC 5646]. Work on IDNs further increased the difficulties because many of the decisions that led to the current version of IDNA require understanding the DNS, its constraints, and, to at least some extent, the commercial market of domain names, including various ICANN efforts. The net result of these factors is that it is extremely unlikely that the IESG will ever find a designated expert whose knowledge and understanding will include everything that is required. Consequently, Section 7 and other discussions in this document specify a DE team that is expected to have the broad perspective, expertise, and access to information and community in order to review new Unicode versions and to make consensus recommendations that will serve the Internet well. While we anticipate that the team will have one or more leaders, the structure of the team differs from the suggestions given in Section 5.2 of RFC 8126 since neither the team's formation nor its consultation is left to the discretion of the designated expert, nor is the designated expert solely accountable to the community. A team that contains multiple perspectives is required, the team members are accountable as a group, and any nontrivial recommendations require team consensus. This also differs from the common practice in the IETF of "review teams" from which a single member is selected to perform a review: the principle for these reviews is team effort.

This document was inspired by extensive discussions within the I18N Directorate of the IETF Applications and Real-Time (ART) area in the first quarter of 2019 about sorting out the reviews for Unicode 11.0 and 12.0. Careful reviews by Joel Halpern and text suggestions from Barry Leiba resulted in some clarifications. Thanks to Christopher Wood for catching some editorial errors that persisted until rather late in the document's life cycle and to Benjamin Kaduk for catching and raising a number of questions during Last Call. Some of the issues they raised have been reflected in the document; others did not appear to be desirable modifications after further discussion, but the questions were definitely worth raising and discussing.

John C Klensin

Patrik Fältström