wrt IDNA2003->IDNA2008 transitionn (was: IDN processing-related, security considerations for draft-ietf-websec-strict-transport-sec)

Andrew Sullivan ajs at anvilwalrusden.com
Fri Oct 7 22:48:07 CEST 2011 

On Fri, Oct 07, 2011 at 07:46:23PM +0000, Shawn Steele wrote:
> >  But IDNA2008 wasn't done because we didn't have anything else to do; it was done because people saw some real deficiencies of IDNA2003, and wanted to address those. 
> 
> Because their names didn't "look right".

Well, duh.  IDNA2003 was also because people's names didn't "look
right": they were in ASCII.  IDNA2008 was also an attempt to fix the
issue that IDNA2003 worked for exactly one version of Unicode, not
available on most shipping systems any more.  It also added a number
of clarifications that I think were helpful (the most prominent of
which is A-label/U-label), and it moved mapping out of the protocol so
that the protocol itself did not lose data when changing case.  While
the clarifications could have been done without changing the basic
approach of IDNA2003, removing mapping from the protocol couldn't.
Finally, the way that IDNA2008 starts from zero characters and then
builds up the allowed set is also different.  It of course leads to
problematic cases, but I don't think any more problematic than were
already in IDNA2003.

>  IDNA2008 confused
> lookup/matching with display.  IMO, the problem being "fixed" that
> UTS46 works around is primarily a display issue.

I fail completely to see how this is the case.  The plain fact is that
DNS names are a _lousy_ UI.  But I don't see how UTS46 or IDNA2003 was
any better in this respect than IDNA2008, and I'd like to hear an
argument.

> Because IDNA2008 and IDNA2003 coexist, then implementations are
> forced into a security nightmare where users can end up at the wrong
> server, either by using a newer or older browser/OS.

Given IDNA2003 and a wide open registration policy, that's surely the
least of your problems.  The security nightmare comes from not having
sane conventions on the Internet for identifiers.  The problem is that
localizing identifiers so that they're useful and friendly for some
actual human, given the history of human writing, automatically means
that some other actual human could be tricked.  You don't need the
Internet for this: the Tower of Babel is an ancient story.  You need a
useful policy for registration.  Or else you need a protocol quite
different from the DNS.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the Idna-update mailing list