Here is suggested text.<br><pre class="newpage"> This modification will allow some strings to be used in Stringprep<br> contexts that are not allowed today. It is possible that differences<br> in the interpretation of the specification between old and new<br>
implementations could pose a security risk, but it is difficult to<br> envision any specific instantiation of this.<br><br> Any rational attempt to compute, for instance, a hash over an<br> identifier processed by Stringprep would use network order for its<br>
computation, and thus be unaffected by the changes proposed here.<br> While it is not believed to pose a problem, if display routines had<br> been written with specific knowledge of the <a href="http://tools.ietf.org/html/rfc3454">RFC 3454</a> Stringprep<br>
prohibitions, it is possible that the potential problems noted under<br> "backwards compatibility" could cause new kinds of confusion.</pre>
<add><br>The requirements stated in Section 3. "A requirement set for the BIDI rule" avoid some of the problems for visual confusion with bidi labels that can lead to security problems. However, it needs to be recognized that while the rules in IDNA2008 have these requirements as goals, IDNs are not guaranteed to meet those requirements. Two sources of unexpected rearrangement are:<br>
(a) if programs are not conformant to the Unicode Standard for BIDI, they may reorder characters in an unexpected fashion.<br>(b) because intralabel checks are not required, unexpected reordering may occur as discussed in "Section 5. Troublesome situations and guidelines".<br>
<end><br><br>Mark<br>
<br><br><div class="gmail_quote">On Mon, Dec 22, 2008 at 02:52, Harald Alvestrand <span dir="ltr"><<a href="mailto:harald@alvestrand.no">harald@alvestrand.no</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Mark Davis wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">
<br>
Security Considerations (Defs/BIDI) still needs to:<br>
<br>
<br></div>
1. document how the compatibility problems between 2003 and 2008<div class="Ih2E3d"><br>
can cause security problems<br>
(See <a href="http://docs.google.com/Doc?id=dfqr8rd5_361dwv9cff8" target="_blank">http://docs.google.com/Doc?id=dfqr8rd5_361dwv9cff8</a> ). Some<br>
of this is in Rationale, but needs to be added or referenced,<br>
while other parts are missing. I can supply some suggested text<br>
if desired.<br>
<br>
</div></blockquote>
I think Bidi is adequate on this point.<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
1. document the security issues that can arise in BIDI where Label<div class="Ih2E3d"><br>
Uniqueness and Character Grouping are not maintained. (These<br>
goals cannot be guaranteed because of intra-label issues and<br>
variance among bidi implementations).<br>
<br>
</div></blockquote>
Send text.<br>
<br>
</blockquote></div><br>