Forgot to "Reply to all"<br><br>---------- Forwarded message ----------<br><span class="gmail_quote">From: <b class="gmail_sendername">Mark Davis</b> <<a href="mailto:mark.davis@icu-project.org">mark.davis@icu-project.org
</a>><br>Date: Dec 16, 2006 6:49 PM<br>Subject: Re: Criteria for exceptional characters<br>To: Michael Everson <<a href="mailto:everson@evertype.com">everson@evertype.com</a>><br><br></span>Thanks, comments below.
<br><br><div><span class="q"><span class="gmail_quote">On 12/16/06, <b class="gmail_sendername">Michael Everson</b> <<a href="mailto:everson@evertype.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
everson@evertype.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
At 15:58 -0800 2006-12-16, Mark Davis wrote:<br><br>>The major problems I see with the current system* are:<br>><br>>1. It does not allow Unicode 5.0 characters.<br><br>To be honest, we MUST refer to Unicode 5.1
. Of
<br>course, all characters in Unicode 5.0 are<br>important, but if Unicode 5.1 is not taken as the<br>benchmark, the Myanmar (Burmese) script will be<br>left out, and that is simply not something that<br>can be countenanced.
</blockquote></span><div><br>According to John, we can't wait that long. What I should have added is <br><br>1a. some kind of process that makes it easy to update to successive versions of Unicode. [Having the kind of property-based approach that we are developing is a solid step in that direction.]
<br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>2. It restricts some combinations that are required for certain languages.
<br>> a) Mn at the end of BIDI fields<br><br>This prevents Thaana from being used, as well as<br>Yiddish, and probably a number of languages which<br>use the Arabic script.</blockquote></span><div><br>right <br></div>
<span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> b) ZWJ/NJ in limited contexts<br><br>A problem for some Brahmic scripts, at least some<br>of the major scripts of India.</blockquote></span><div><br>right <br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>3. There are concerns about the stability of normalization<br><br>Are they valid? What are they, specifically?</blockquote></span><div><br>See <a href="http://www.unicode.org/reports/tr15/#Versioning" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.unicode.org/reports/tr15/#Versioning
</a> <br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>4. There are opportunities for spoofing. This<br>>breaks down into a number of sub-problems, of
<br>>which the major ones are:<br>> a) non-letter confusables, like fraction slash<br>>in<br>><<a href="http://amazon.com/badguy.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://amazon.com/badguy.com</a>><a href="http://amazon.com/badguy.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
amazon.com/badguy.com</a><br>> b) confusable letters/numbers within mixtures<br>>of scripts, like cyrillic 'a' in paypal.<br><br>I thought we agreed to ban this kind of mixing long ago.</blockquote></span><div><br>
That is not in any of the proposals on the table (eg in internet drafts or our rule development), as far as I know. It is among the Unicode recommendations, but nobody has proposed it for the protocol. One has to be a bit careful to get the right level, given that certain orthographies (eg Japanese) use multiple scripts. For that reason, it is unclear whether this should be baked into the protocol, or up to more flexible mechanisms, like the user-agents.
<br><br>See also:<br><br><a href="http://www.unicode.org/reports/tr36/#Security_Levels_and_Alerts" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.unicode.org/reports/tr36/#Security_Levels_and_Alerts
</a><br></div><div><span class="e" id="q_10f8e500c2cae2ae_11"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
One ramification of this would that it would no<br>longer be possible to say that Kurdisk Ww was<br>LATIN W instead of CYRILLIC WE. We would be<br>obliged, for security's sake, to encode CYRILLIC<br>WE. There would be no disadvantage here. In fact,
<br>it would be better for Kurdish. Consider a<br>glossary of Kurdish words in its three<br>orthographies, Arabic, Latin, and Cyrillic. If<br>LATIN W and CYRILLIC WE are encoded separately,<br>it is possible to correctly sort (or search, à la
<br>Google) the multi-script list. If they are<br>unified with LATIN W (as at present), there is no<br>solution.<br><br>>c) confusable letters in same script, like <<a href="http://inte1.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://inte1.com</a>>
<a href="http://inte1.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">inte1.com</a><br>>[There is a finer breakdown in<br>><<a href="http://unicode.org/reports/tr36/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://unicode.org/reports/tr36/</a>><a href="http://unicode.org/reports/tr36/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://unicode.org/reports/tr36/
</a>]<br><br>Well worth reading.<br><br>>The reason I say "system*" is that the options<br>>for solutions can be at different points:<br>><br>>A. What should the protocol allow?<br>>B. What should a registry allow?
<br>>C. What should the user agent block (or flag, eg with raw punycode)?<br>><br>>For example, nobody has yet proposed that the<br>>protocol disallow mixtures of scripts, even<br>>though that represents by far the largest
<br>>opportunity for spoofing.<br><br>This is **NOT** correct. I have advocated this<br>more or less loudly since September 2005, when I<br>discussed the question at length with Cary Karp<br>when I was at the Sophia Antipolis meeting of WG2
<br>and advised him on the draft recommendations he<br>was writing. I continue to favour this<br>anti-spoofing solution, and if, as has been<br>suggested, Unicode script properties of<br>characters can be used to ensure that scripts are
<br>not mixed or mixable (modulo Jpan for instance)<br>then there should be no problem with this.<br><br>(The only problem I could see is that UTC would<br>have to accept CYRILLIC WE, and possibly LATIN<br>SOFT SIGN, LATIN THETA as characters used for
<br>specialist purposes. We are talking less than two<br>dozen characters here, and I'm being pretty<br>generous in my estimate. A small price to pay for<br>security.)</blockquote></span></div><div><br>see above <br></div>
<span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>Instead, it appears that the solutions taken by<br>>the user agents are sufficient there: while the<br>>" <<a href="http://paypal.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://paypal.com</a>><a href="http://paypal.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">paypal.com</a>" case got a lot
<br>>of attention, when you look at the actual,<br>>practical impact in terms of real, reported<br>>security problems, it is not in practice<br>>significant. I have no doubt that the<br>>user-agents will continue to refine and improve
<br>>their approaches.<br><br>I don't understand how you can say that the <a href="http://paypal.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">paypal.com</a> case is "insignificant".
</blockquote></span><div><br>What I said was: "when you look at the actual, practical impact in terms of real, reported security problems, it is not in practice significant". And this is, I believe, because of steps taken in the browsers to alert users to this. Such cases are quite easy to detect in the user-agent.
<br><br>Listings of actual reported fraud using this technique, and their impact, would be useful.<br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>So, what progress are we making?<br>><br>>1. Looks like we have a solution<br><br>*If* Unicode 5.1, and *if* IETF bites the bullet<br>and realizes that there will be a Unicode 6, and<br>7, and 8, which may have needed characters. (No,
<br>Vint, I'm not talking about non-essential<br>characters.)</blockquote></span><div><br>see above <br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>2a. Also looks like we have a solution<br><br>If we change the rule.</blockquote></span><div><br>Everything I have to say is conditional on successful completion. What I mean by "we have a solution" is that it looks like we have consensus on an approach.
<br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>2b. Not yet consensus on this<br><br>Going to have to bite this bullet for some
<br>scripts, but if script properties are accessed,<br>and the use of the joiners is restricted to<br>certain script (or even certain character)<br>environments, this may not be a problem.</blockquote></span><div><br>See also
<a href="http://www.unicode.org/review/pr-96.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.unicode.org/review/pr-96.html</a><br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>3. Looks like we have a solution (restrict the
<br>>sequences that could change between 3.2 and 5.0;<br>>the Unicode consortium is tightening stability<br>>to disallow further changes)<br><br>Please create a separate thread to discuss this particular issue.</blockquote>
</span><div><br>If and when it requires further discussion.<br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>4a. Our proposed rules fix this. By tossing out
<br>>all non-LMN, we remove the bad cases. Although<br>>the problematic characters are a small fraction<br>>of the few thousand characters in question, most<br>>of which are not problematic, there is general<br>
>agreement that as a class these are not needed,<br>>and we are not worried about tossing out any<br>>babies with the bathwater.<br><br>The list should be reviewed. I'm not saying you<br>haven't done a good job, but I haven't reviewed
<br>it, and I don't know if anyone else has either.</blockquote></span><div><br>The lists are there, and Patrik, Ken, myself and others have been working on them. If you are going to review them, you can start anytime ;-)
<br></div><span class="q">
<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>4b. We're not tackling this in the protocol,<br>>leaving it up to user agents (and to some degree
<br>>registries).<br><br>I think it is NOT A GOOD IDEA not to tackle this<br>in the protocol. I think IT WOULD BE A VERY GOOD<br>IDEA for this to be dealt with in the protocol.<br>It would be far safer for the end user, because
<br>there would be no danger of error (intentional or<br>unintentional) on the part of agents or<br>registries. We *should* police this because we<br>can.</blockquote></span><div><br>I have no strong feeling either way. It is not difficult to do this in the user-agent.
<br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>4c. Here I also suspect that the principle<br>>solution is in the user agents, but what we can
<br>>do at the protocol level is to make some<br>>exclusions where there are clear cases that we<br>>can handle via well-established properties, or<br>>particular exception cases where we add or<br>>remove particular characters(s). What we have
<br>>done so far is to toss out certain classes of<br>>characters that are clearly not needed for<br>>modern languages (historic scripts). [Here<br>>again, frankly, their removal doesn't<br>>fundamentally reduce spoofability, but it does
<br>>little hard to remove them. But because there is<br>>not much benefit to their removal, we don't<br>>really need to argue whether there is a real<br>>need for ones like Runic, because there aren't<br>>really demonstrable problems with allowing it,
<br>>given solutions in (4b).]<br><br>For this I suspect that the best we can do is<br>make recommendations. STRONG recommendations<br>based on real linguistic knowledge and data.<br>Recommendations so strong that a given registry
<br>should have to give reasons for deviating from<br>them.</blockquote></span><div><br>We're only discussing here the protocol. The question of who can force registries to "give reasons" is not one I want to get into here.
<br></div><span class="q"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>(4c) is where your current question falls. These<br>>are characters that are not covered by the rules
<br>>we have developed so far. My suggestion for<br>>criteria are:<br>><br>>A. If there is clearly defined class of<br>>characters that are clearly never needed in<br>>modern languages (in this case Hebrew/Yiddish),
<br>>we can exclude them.<br><br>"In this case"? But I agree, linguistic expertise<br>can help weed out characters which are really not<br>needed.</blockquote></span><div><br>"in this case": Cary was raising this issue with regard to certain Hebrew characters.
<br></div><div><span class="e" id="q_10f8e500c2cae2ae_31"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">>B. If there are particular characters that may
<br>>be used as a normal part of the language that we
<br>>want to consider including or excluding, then we<br>>consider two factors in weighing the question:<br>><br>> B1. Can this character cause a spoofing<br>>problem in a monoscript string, and if so, how
<br>>severe is the problem?<br>><br>> B2. Is this character used in the regular<br>>orthography of a modern language, and if so, how<br>>essential is it?<br><br>Good questions, requiring linguistic expertise.
<br>This would be a "white list" sort of thing, not<br>something that could be done algorithmically.<br><br>>We want to keep the exceptional characters<br>>(included or excluded) that are not covered by<br>
>the normal rules we've developed so far to a<br>>minimum, so only those with a large negative<br>>weight should get exceptionally excluded, and<br>>only those with a high positive weight get<br>>exceptionally included.
<br><br>Agreed.<br><br>>For example, a character that looks like a<br>>period or a slash (important syntax characters<br>>in URLs), and is optional in the language (eg<br>>used in abbreviations, but not regular words)
<br>>gets a large negative weight. A character that<br>>doesn't look like a syntax character or another<br>>Hebrew character, and is required by common<br>>Hebrew or Yiddish words would get a high<br>>positive weight.
<br><br>Well, the Ethiopic wordspace looks like a colon<br>to readers of Latin script, and from a distance,<br>though its dots are square and not round.<br>However, it can ONLY occur between two ethiopic<br>SYLLABLEs, and (obviously) if it were entered
<br>accidentally inside "http://" it would cause no<br>difficulty, because that would be no different<br>from entering "http$//" -- it would have no<br>effect because it is not a protocol element.</blockquote>
</span></div><div><br>This is where one has to have a more thorough knowledge of the syntax, which the DNS honchos here can obviously supply. For example, a URL can contain a colon in several other positions,</div><span>
such as:<br><br>
http://<user>:<password>@<host>:<port>/<url-path><br><br>From your end, any characters that you can identify that could cause problems would be useful. That is, they are typically letters that resemble either other letters, or the ASCII syntax characters (dot, colon, slash, ...)
<br><br>A good place to start is the data table in <a href="http://www.unicode.org/reports/tr39/#Confusable_Detection" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.unicode.org/reports/tr39/#Confusable_Detection
</a><br><br>We have some mappings there, but we can definitely add more. Eg for colon we have currently:
<br><br></span><pre>FF1A ; 003A ; SA #* ( : → : ) FULLWIDTH COLON → COLON # {nfkc:65307}<br>0589 ; 003A ; SA #* ( ։ → : ) ARMENIAN FULL STOP → COLON # {source:12}<br>FE30 ; 003A ; SA #* ( ︰ → : ) PRESENTATION FORM FOR VERTICAL TWO DOT LEADER → COLON # {source:3328}
<br><br>05C3 ; 003A ; SA #* ( ׃ → : ) HEBREW PUNCTUATION SOF PASUQ → COLON # {source:13}</pre><span class="q"><span><br>> I think we are making progress, and I hope my comments are helpful.<br></span></span><div><br>Yes, thanks.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
--<span class="q"><br>Michael Everson * <a href="http://www.evertype.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.evertype.com</a><br>_______________________________________________
<br>Idna-update mailing list<br><a href="mailto:Idna-update@alvestrand.no" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Idna-update@alvestrand.no
</a><br><a href="http://www.alvestrand.no/mailman/listinfo/idna-update" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.alvestrand.no/mailman/listinfo/idna-update</a><br></span></blockquote>
</div><br>