SASLprep200x

John C Klensin klensin at jck.com
Thu Jan 11 17:34:38 CET 2007 


--On Wednesday, 10 January, 2007 21:17 -0800 Erik van der Poel
<erikv at google.com> wrote:

>...
> Yes, I realized this right after I sent that email. It is OK
> if the
> user agent set is a superset of the registry set, as long as
> dangerous
> characters like the slash look-alikes are not included.

This is, once again, why there have to be multiple
(supersetting) collections of characters in this.

(1) Some characters have to be prohibited, in the protocol and
enforced by the UAs, because they are bad news/ dangerous.

(2) It is almost certain that a much larger set of characters
should be prohibited, not because specific dangers can be
identified, but because their value in domain names, under
principles like "language characters only", is sufficiently
marginal as to be outweighed by the risks, even if the risks
cannot be specifically identified.  As with (1), "prohibited"
here means that we are sufficiently confident about the
prohibition to enforce it in UAs.

(3) There may be some characters that are permitted in lookup
but that are mapped to other characters at that point.  In
general, these characters should not be permitted at all in
registrations, since they do not exist after nameprep (or
whatever) is applied.  The one obvious exception for IDN
purposes is case-mapping, in order to keep IDN functionality as
close to base DNS functionality as possible.

(4) There are many characters that one might want to permit in
the future, with appropriate, registry-enforced, rules about
character combinations and sequences (mixing of scripts is
merely one example here, whether or not certain sets of
combining characters should be permitted in conjunction with
other characters or contexts is another) is another.  These
character should be permitted by UAs because registrations might
ultimately be permitted, but not registered today.   Just what
we say about them and how, and what the mechanism is for
permitting them into the fourth group, are knotty problems, but
ones we need to solve.

(5) Characters that we really see as "ok" in labels today, but
for which registry restrictions may still be appropriate.
Again, a UI should not attempt to guess at, much less apply,
registry tests at lookup/resolution time.  Testing, as Erik
points out, is another matter, but I don't really consider test
or validatin programs as examples of end-user UIs.

I believe those categories are as applicable to SASL (and other
protocols) as they are to IDNs, even though the rules and
contents of each category might be different.

     john

More information about the Idna-update mailing list