Security considerations breakdown (was: Re: Security considerations breakdown and names of the specs (was: Re: Security Considerations: bad split))

Mark Davis mark at macchiato.com
Wed Dec 10 18:03:25 CET 2008 

That works for me.

Thanks,

Mark


On Wed, Dec 10, 2008 at 06:48, John C Klensin <klensin at jck.com> wrote:

>
>
> --On Wednesday, 10 December, 2008 15:35 +0100 Harald Alvestrand
> <harald at alvestrand.no> wrote:
>
> >> Harald (not to pick on him) also wrote "Having re-read the
> >> security  considerations on -bidi, I fail to see how it's
> >> possible to comprehend  these few paragraphs without just
> >>...
> > Despite not being picked on, I choose to pick back.
> >
> > Again, we are discussing this text:
> >
> >    This modification will allow some strings to be used in
> > Stringprep
> >    contexts that are not allowed today.  It is possible that
> > differences
> >    in the interpretation of the specification between old and
> > new
> >    implementations could pose a security risk, but it is
> >...
> > For some of the strings allowed (the ZWNJ in particular), it
> > is extremely easy to envision how the difference in
> > implementation could pose a security risk, so the statement is
> > false for the whole IDNABIS suite. It is, however, true for
> > -bidi.
> >
> > There are no other places in IDNABIS where the difference
> > between display order and network order matters, so the second
> > paragraph is meaningless in any other context than -bidi.
> >
> > I think we agree that the third paragraph is -bidi specific.
> >
> > I stand by my judgment: All three paragraphs are -bidi
> > specific, and are best kept in -bidi.
>
> Having heard from Pasi (one of the security ADs) who expressed a
> slight preference for consolidation, but mostly wanted to be
> sure that the cross references are correct and normative, and
> finding the above persuasive, I propose the following:
>
>        (1) We consolidate the security considerations material
>        from Defs, Protocol, Tables, and Rationale into Defs,
>        with copious cross-references, including a reference to
>        Bidi and a brief comment about why its issues are
>        separate.  As noted earlier, that will require some
>        textual tuning.  I expect the WG, and especially those
>        who seem to think that this issue is important, to
>        carefully check that changed/tuned text as soon as it
>        appears.
>
>        (2) We leave the Bidi discussion where it is, both for
>        the reasons Harald identified in his note and as a
>        logical consequence of the reasons we decided to keep
>        the Bidi document separate.  We should, IMO, get the
>        Stringprep reference out of that discussion, but that is
>        almost a separate issue.
>
> And, FWIW, I again ask that people keep their eyes on the target
> of getting the substantive issues right and getting this work
> done, and done soon, rather than debating moving text around for
> aesthetic reasons that do not really affect the underlying
> specifications.
>
>     john
>
>
>
> _______________________________________________
> Idna-update mailing list
> Idna-update at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/idna-update
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.alvestrand.no/pipermail/idna-update/attachments/20081210/5af05d41/attachment.htm

More information about the Idna-update mailing list