Security Considerations: bad split

John C Klensin klensin at jck.com
Sun Dec 7 19:21:48 CET 2008



--On Sunday, 07 December, 2008 19:12 +0100 Harald Tveit
Alvestrand <harald at alvestrand.no> wrote:

> Paul Hoffman skrev:
>> At 9:03 AM +0100 12/7/08, Harald Tveit Alvestrand wrote:
>>   
>>> Having re-read the security considerations on -bidi, I fail
>>> to see how it's possible to comprehend these few paragraphs
>>> without just having read -bidi.
>>>     
>> 
>> Are you saying that someone who is implementing IDNA200x will
>> not have read -bidi? I thought -bidi was required for the
>> protocol.
>>   
> I fully expect the overall registry designer to look at -bidi
> for 2 seconds, then throw it in the direction of the
> string-processing expert and say "implement this". I expect
> him to pay much more careful attention to -rationale.

>>> In the case of -bidi, I see the drive for an unified security
>>> considerations section as quixotic, harmful and nonsensical.
>>>     
>> 
>> I can agree with the first and third, given that the document
>> authors have bigger heels dug more firmly in the ground, but
>> I do not see how a combined security considerations section
>> could be "harmful".
>> 
> I think that if the documents are harder to understand because
> of a text change, that text change is harmful.
> 
> I don't think it's a big effect, but I have a definite opinion
> about its sign bit.

+1
While a look at Security Considerations sections is helpful to
the careful protocol implementer, most of the issues raised in
the various security-related pieces of IDNA ultimately need to
be addressed by zone admins... people who are typically not
those string-processing experts.


    john




More information about the Idna-update mailing list