That works for me.<br><br>Thanks,<br><br clear="all">Mark<br>
<br><br><div class="gmail_quote">On Wed, Dec 10, 2008 at 06:48, John C Klensin <span dir="ltr"><<a href="mailto:klensin@jck.com">klensin@jck.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<br>
--On Wednesday, 10 December, 2008 15:35 +0100 Harald Alvestrand<br>
<div class="Ih2E3d"><<a href="mailto:harald@alvestrand.no">harald@alvestrand.no</a>> wrote:<br>
<br>
>> Harald (not to pick on him) also wrote "Having re-read the<br>
>> security considerations on -bidi, I fail to see how it's<br>
>> possible to comprehend these few paragraphs without just<br>
</div>>>...<br>
<div class="Ih2E3d">> Despite not being picked on, I choose to pick back.<br>
><br>
> Again, we are discussing this text:<br>
><br>
> This modification will allow some strings to be used in<br>
> Stringprep<br>
> contexts that are not allowed today. It is possible that<br>
> differences<br>
> in the interpretation of the specification between old and<br>
> new<br>
> implementations could pose a security risk, but it is<br>
</div>>...<br>
<div class="Ih2E3d">> For some of the strings allowed (the ZWNJ in particular), it<br>
> is extremely easy to envision how the difference in<br>
> implementation could pose a security risk, so the statement is<br>
> false for the whole IDNABIS suite. It is, however, true for<br>
> -bidi.<br>
><br>
> There are no other places in IDNABIS where the difference<br>
> between display order and network order matters, so the second<br>
> paragraph is meaningless in any other context than -bidi.<br>
><br>
> I think we agree that the third paragraph is -bidi specific.<br>
><br>
> I stand by my judgment: All three paragraphs are -bidi<br>
> specific, and are best kept in -bidi.<br>
<br>
</div>Having heard from Pasi (one of the security ADs) who expressed a<br>
slight preference for consolidation, but mostly wanted to be<br>
sure that the cross references are correct and normative, and<br>
finding the above persuasive, I propose the following:<br>
<br>
(1) We consolidate the security considerations material<br>
from Defs, Protocol, Tables, and Rationale into Defs,<br>
with copious cross-references, including a reference to<br>
Bidi and a brief comment about why its issues are<br>
separate. As noted earlier, that will require some<br>
textual tuning. I expect the WG, and especially those<br>
who seem to think that this issue is important, to<br>
carefully check that changed/tuned text as soon as it<br>
appears.<br>
<br>
(2) We leave the Bidi discussion where it is, both for<br>
the reasons Harald identified in his note and as a<br>
logical consequence of the reasons we decided to keep<br>
the Bidi document separate. We should, IMO, get the<br>
Stringprep reference out of that discussion, but that is<br>
almost a separate issue.<br>
<br>
And, FWIW, I again ask that people keep their eyes on the target<br>
of getting the substantive issues right and getting this work<br>
done, and done soon, rather than debating moving text around for<br>
aesthetic reasons that do not really affect the underlying<br>
specifications.<br>
<font color="#888888"><br>
john<br>
</font><div><div></div><div class="Wj3C7c"><br>
<br>
<br>
_______________________________________________<br>
Idna-update mailing list<br>
<a href="mailto:Idna-update@alvestrand.no">Idna-update@alvestrand.no</a><br>
<a href="http://www.alvestrand.no/mailman/listinfo/idna-update" target="_blank">http://www.alvestrand.no/mailman/listinfo/idna-update</a><br>
</div></div></blockquote></div><br>