Leaving out scripts (Re: Unicode versions (Re: Criteria for exceptional characters))

Kenneth Whistler kenw at sybase.com
Wed Dec 20 02:32:16 CET 2006


> If you allow 
> script-mixing, then of course, someone might try 
> to spoof Danish å by using a THAANA SUKUN.

Or of course using a COMBINING LATIN SMALL LETTER O,
which *doesn't* involve script mixing.

Or with LATIN SMALL LETTER A WITH DOT ABOVE,
which doesn't involve script mixing.

Or with <LATIN SMALL LETTER ALPHA, COMBINING RING ABOVE>,
which doesn't involve script mixing.

> So don't allow it.

Trying to put disallowance of script mixing into the
protocol doesn't really solve the problem you are trying
to solve. And it would make the protocol more complicated,
which likely would cut down its acceptance and make it
more likely to be implemented with mistakes, which has
its own security risks attached.

I think we are basically on track with the right division of
steps here, as outlined in klensin-idnabis-issues.

If we can just focus on eliminating as much of the undesireable
cruft and unnecessary stuff from the inclusions table as
possible at *this* point, the implementation of
StringPrep will be much cleaner, the implementations will
be simpler and easier to understand, the output will have
many fewer types of problems in it.

Then we can focus on how to communicate best practice to
the registries and registrars to protect themselves from
malicious spoofing issues within the context of a well-defined
protocol.

I really think you are being overly optimistic, even quixotic,
in thinking "just say no to script mixing" in the protocol
is going to be the magic bullet to solve these problems.

--Ken



More information about the Idna-update mailing list