IDNs in TLS and Kerberos
Andrew Sullivan
ajs at shinkuro.com
Fri Jan 23 18:12:56 CET 2009
On Fri, Jan 23, 2009 at 03:57:59PM +0100, Simon Josefsson wrote:
> user/administrator typed locally. If the preparation of these two
> different strings were done using different IDNA algorithms and their
> output differ depending on the algorithm used, it might trigger both
> unwanted matches and unwanted rejections.
It's worse than this, because IDNA2008 has the local mapping, which
means even if the same IDNA algorithm is used, _different local
mapping_ algorithms could be involved. Since different browser
vendors had different responses to what was "safe" under IDNA2003, I
think we have _prima facie_ evidence that they could well have
different local mapping rules. This means that the same user on the
same computer could have a different experience depending on which
browser happens to be in use. For instance, the paranoid browser might
refuse to do local mapping at all, and require strict Unicode input or
just refuse to do IDNA. The less-paranoid browser might map any
character that can be mapped 1:1 to a Unicode character, but refuse to
do anything else (so, for instance, take ISO 8859-N u-umlaut and pick
the character that matches depending on the ISO range in use). The
helpful browser might also map full-width Chinese characters to
something that will work. (I am making these scenarios up -- I
haven't the expertise to figure out exactly how this could go wrong in
an input environment I don't understand; but we've certainly heard
nervous sounds about local mappings from people who _do_ understand
those environments.)
A
--
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.
More information about the Idna-update
mailing list