Good comments, as always; thanks. I won't have time to respond in the next couple of days, but will try to shortly thereafter.<br><br>A quick note on the process: it is not the same as IETF process. The document, as you note, is not anywhere ready for publication. Editorial changes can be incorporated the public draft after approval by the editorial committee. Substantive issues can be noted in the draft for review, but take UTC decision to change one way or another. If the draft is approved at the UTC, even at that point it would not necessarily be in final form - editorial work can continue before release, again subject to approval by the editorial committee. Or the UTC could decide to have another cycle, or take other action.<br>
<br clear="all">Mark<br>
<br><br><div class="gmail_quote">On Mon, Oct 5, 2009 at 04:01, "Martin J. Dürst" <span dir="ltr"><<a href="mailto:duerst@it.aoyama.ac.jp">duerst@it.aoyama.ac.jp</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On 2009/10/05 17:03, Mark Davis ☕ wrote:<br>
> If you have some particular suggestions regarding items in the document, you<br>
> can submit them directly via the<br></div>
> *[Feedback<<a href="http://www.unicode.org/reports/tr46/#Feedback" target="_blank">http://www.unicode.org/reports/tr46/#Feedback</a>><div class="im"><br>
> ]* link at the top. If you also want discussion of the topics, then also on<br>
> one of the Unicode mailing lists. And if you have any other suggestions for<br>
> how to bridge the compatibility gaps between IDNA2003 implementations and<br>
> IDNA2008 implementations, those suggestions would be welcome. We had a<br>
> number of people from the browser communities at the meetings, and these<br>
> were the best we could come up as yet.<br>
> *<br>
> *Mark<br>
<br></div>
Hello Mark,<br>
<br>
Just some short comments here on this list while rushing through that document. Please forward these wherever appropriate.<br>
<br>
1.3.1, Deviations, says "There are a few situations where the strict application of IDNA2008 will *always* result in the resolution of IDNs to different IP addresses than in IDNA2003."<br>
The *always* is of course wrong. The document itself later says "Unless the "DE" registry bundles", which is, as far as we know, more or less what they are going to do. The other possibility is of course that the owner of the domain name in question makes sure they get both variants. For the business example that you show, that's not a problem at all, if the business knows about the issue.<br>
<br>
In 1.3.2, Example 3. "Map <a href="http://xn--bb-eka.at" target="_blank">http://ÖBB.at</a> to http:/<a href="http://phishing.com" target="_blank">phishing.com</a>", is completely weird. If any browser or similar device wants to spoof their users, they have always been able to do this, even without the IETF's or the Unicode Consortium's permission. But such a browser would be very quickly out of business, for obvious reasons.<br>
<br>
Again in 1.3.2, it says "but adds validity constraints from IDNA2008", but then gives "http://√.com" as an okay example (currently in use, although for domain speculation only), which I'd assume is prohibited in IDNA2008 based on the LDH-equivalence rules.<br>
<br>
(Btw, I'd suggest you remove the links from (most of) your examples, because you shouldn't at the same time claim that there is potential for phishing and make it easy to happen. Another issue is that some of these links don't actually resolve, but they look like the should. (e.g. <a href="http://I" target="_blank">http://I</a>♥NY.com))<br>
<br>
I don't really like the idea of Compatible Preprocessing (section 1.4) at all. Bypassing IDNA2008 lookup by converting to punycode separately is really going too far. I thought the intent of the document was to use either IDNA2003 or IDNA2008, not to simulate IDNA2003 on top of IDNA2008 at all costs by an additional layer.<br>
<br>
Section 3, Preprocessing: "(For more about the parts of a URL, including the domain name, see [RFC3987])." I don't know why RFC 3987 is relevant here. It may be misunderstood in that the processing is applied to the whole IRI/URI. Also, RFC 3987 doesn't actually define "domain name", nor does it say which parts (of which it mentions several) of an IRI are domain names.<br>
<br>
In Section 3, Preprocessing, things such as "URI/IRI %-escapes like %2e for U+002E (.) FULL STOP." or "U+2488 ( ⒈ ) DIGIT ONE FULL STOP" are very similar in my eyes to overlong UTF-8 sequences and such, and therefore have a high potential for security problems. People who have to use %2e or U+2488 shoot themselves in their foot, and should feel it sooner rather than later. I cannot understand why this document claims to "avoid... security problems" (in the abstract) and then promotes this kind of stuff. As an aside, RFC 3986 recommends %2E in preference to %2e.<br>
<br>
Clicking on <a href="http://unicode.org/cldr/utility/list-unicodeset.jsp?a=[:toNFKC=/" target="_blank">http://unicode.org/cldr/utility/list-unicodeset.jsp?a=[:toNFKC=/</a>\./:], I get some kind of Java exception report at<br>
<a href="http://unicode.org/cldr/utility/list-unicodeset.jsp?a=%5B:toNFKC=/%5C./:%5D" target="_blank">http://unicode.org/cldr/utility/list-unicodeset.jsp?a=%5B:toNFKC=/%5C./:%5D</a><br>
<br>
Some of the steps in Section 3 are completely cryptic. As an example, what does "trusted source" in "If any label is in Punycode, and does not come from a trusted source" mean? What does "validity criteria" in "Abort with error if the label does not comply with the validity criteria" mean? (a pointer to section 5 would help)<br>
<br>
Also, in Step 3, you split, which means that in Step 5, you have several strings, but you only return one string ?!<br>
<br>
As for mapping tables, what seems to happen is that e.g. a "ß" is mapped to "ss" for lookup, but not for display. This seems to be really a bad combination: You pretend that the browser (or whatever) distinguishes between "ss" and "ß", but redirect to "ss". From a point of view of a search engine, that may be the right thing to do, but assuming that .de allows separate registrations in those cases where there is a real difference between "ss" and "ß", which I hope they will, the above will be the worst of both worlds. If my name is Straßen, and I own <a href="http://strassen.de" target="_blank">straßen.de</a>, and somebody else owns <a href="http://strassen.de" target="_blank">strassen.de</a> because his/her name is Strassen.de, then we both want to be able to make sure people get to the right place, at least once IDNA2008 is deployed.<br>
<br>
Section 5: "[Review Note: Once IDNA2008 is final, the exact specifications can be substituted for the last two bullets, making the above self-contained.]": Doing textual substitution in these cases is a really bad idea. Please keep the pointers.<br>
<br>
5.1: "Remove block description characters" -> "Remove ideographic description characters" or ""Remove ideographic description block"<br>
<br>
5.1: I don't understand how "+ [\u002D]" can add back all valid ASCII.<br>
<br>
5.2: This description doesn't help at all. What I think a reader would want to know here is how these two sets differ, not some regexp notation of yet another set.<br>
<br>
Section 8, Tactics: The title should change, maybe "Background" might work. It is completely unbelievable that the Unicode consortium would claim, in one of their TRs (in particular one that seems to be headed for "Technical Standard"), that the difference between "ss" and "ß" is essentially a display issue. Overall, this section just repeats stuff in the other sections.<br>
<br>
Section 9, first question: The entries in the table need an explanation.<br>
<br>
Section 9, advantages of IDNA2008: Yes, please keep that, it helps a reader getting a balanced overview.<br>
<br>
Section 9, disadvantages of IDNA2008, you say "More fragile in that future Unicode versions require a manual step to avoid instabilities". I don't understand that.<br>
<br>
Section 9, bidi label hopping: quotes on no or both sides.<br>
<br>
Section 9, "Are the "local" mappings just a UI issue?": This seems to imply that "<a href="http://xn--trkye-kva78a.com" target="_blank">http://türkıye.com</a>" and "<a href="http://xn--trkiye-3ya.com" target="_blank">http://türkiye.com</a>" are different under IDNA2008. In my view, this would be great. Can somebody confirm/deny? (the i/ı issue is in my view almost the only justification for having custom mappings). [If denied, you have to remove the examples.]<br>
<br>
Also, the answers of the type "Bob clicks on the link, and goes to a bad site." should be changed to "Bob clicks on the link, and doesn't find any site, or goes to a wrong (and potentially malicious) site.<br>
<br>
Also, isn't the idea of IDNA2008 to get people to only use lower case, among else? And shouldn't browsers lowercase domain names in their address field, too (as they already do with ASCII-only ones)?<br>
<br>
Also, the relationship between "It is generally understood at the W3C that all attributes that take URLs should take full IRIs, not punycoded-URIs, so for example SVG, MathML, XLink, XML, etc, all take IRIs now, as does HTML5." and its main point isn't clear to me.<br>
<br>
<br>
The whole document needs careful editing/proofreeding before publication (e.g. map map in Section 9).<br>
<br>
Section 9, "why does IDNA2003 map map final sigma (ς) to sigma (σ), map eszett (ß) to "ss", and delete ZWJ/ZWNJ?": This is trying to beautify things after the fact. What happened when these were decided upon was that the IETF was looking for a table (they didn't want to create their own, because in that specific WG, that would have opened all the doors for weird script-specific requests), and the Unicode Consortium had a table (what's now in NFKC_CaseFold), and so that was taken. There is absolutely no need for domain names to be fully case-insensitive with transitivity and round-trips. In some sense, ß and ς are indeed anomalous, but they are full parts of the orthographies of the respective languages, and at least the former is distinguishing, in particular for names.<br>
<br>
"The rough consensus among the working group": Which WG?<br>
<br>
Overall, my impression is that this document isn't yet ready for approval.<br>
<br>
[Overall, my feeling is that some of the text in this document (not all of it, of course) must feel quite a bit similar (to IETF people) to some of the text in (earlier versions? I haven't had time to read any recent versions) of the Rationale document or some earlier documents, in particular in some draft stages, on the IETF side, that the Unicode side didn't like.]<br>
<br>
<br>
Regards, Martin.<div><div></div><div class="h5"><br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Mon, Oct 5, 2009 at 00:43, Harald Alvestrand<<a href="mailto:harald@alvestrand.no" target="_blank">harald@alvestrand.no</a>>wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Mark Davis ☕ wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The IESG may encounter implementation tactics for dealing with the old<br>
</blockquote>
and new specifications that are controversial.<br>
<br>
One set of implementation tactics is UTS#46 Unicode IDNA Compatible<br>
Preprocessing<<a href="http://www.unicode.org/reports/tr46/" target="_blank">http://www.unicode.org/reports/tr46/</a>> (in draft).<br>
<br>
</blockquote>
Yes, that's one of the controversial ones.<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The UTC will be considering that for approval at its upcoming meeting, so<br>
people with concerns may want to discuss and submit them to the UTC.<br>
<br>
Mark<br>
</blockquote></blockquote></blockquote>
<br></div></div><font color="#888888">
-- <br>
#-# Martin J. Dürst, Professor, Aoyama Gakuin University<br>
#-# <a href="http://www.sw.it.aoyama.ac.jp" target="_blank">http://www.sw.it.aoyama.ac.jp</a> mailto:<a href="mailto:duerst@it.aoyama.ac.jp" target="_blank">duerst@it.aoyama.ac.jp</a><br>
</font></blockquote></div><br>