Consensus Call Tranche 6 (Character Conversions)

Simon Josefsson simon at josefsson.org
Tue Oct 21 11:33:19 CEST 2008 

"Mark Davis" <mark at macchiato.com> writes:

>>
>> Place your reply here:
>>
>
> NO, they open up a significant security and interoperability hole.

I found Mark's discussion convincing, so it is a NO for me.

Generally, I think these documents must discuss more about stability and
security consequences than they do today.  I am sorry that I don't have
more spare time to propose actual text.

/Simon

>
>>
>>
>> COMMENTS:
>>
>
> 1. Section 4.2 of Protocol could be interpreted as only requiring Unicode
> Strings to be in NFC *if* they resulted from conversion from a legacy
> character encoding, rather than requiring it also of Unicode strings that
> did not result from such an encoding. The text needs to be fixed so that it
> is very clear that the NFC requirement is also true of strings that did not
> require conversion, as is the intent. I don't think this part is
> controversial -- it just makes it clearer and more consistent with 5.5.
>
> 2. In terms of validation (the subject of this tranche), the second
> paragraph of 4.2 and the section 5.3 open up an unpleasant interoperability
> and security hole, since it places no limits on the mappings that can be
> applied to forbidden characters.
>
> Take the following 3 strings:
>
>    1. HTTP://SCHAFFER.DE
>    2. HTTP://SCHÄFFER.DE <HTTP://xn--schffer-7wa.DE>
>    3. HTTP://SCHÆFFER.DE <HTTP://xn--schffer-oxa.DE>
>
> This section allows any implementation to map *any* of these to *any* of the
> following:
>
>    1. http://schaeffer.de
>    2. http://schäffer.de <http://xn--schffer-7wa.de>
>    3. http://schaffer.de
>
> That is, one implementation could map #2 to #3, while another implementation
> could map #2 to #1. Or, for that matter, many other variants. It allows YENİ
> KAPI.TR to be mapped to any of yenikapı.tr <http://xn--cfa.tr>,
> yenıkapi.tr, or other dotted vs dotless i variants. As
> a matter of fact, a conformant implementation could map
> РУССКИЙ.RU<http://xn--h1acbxfam.RU>
>  to sarapalin.ru, since no limits are placed on the kinds of mappings that
> can be done.
>
> This was also brought up before.
>
> Mark
> _______________________________________________
> Idna-update mailing list
> Idna-update at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/idna-update

More information about the Idna-update mailing list