Standards and localization (was Dot-mapping)
Erik van der Poel
erikv at google.com
Sat Dec 8 18:04:06 CET 2007
There certainly is a danger, but I don't think it's limited to the
non-ASCII dots, nor would I draw the same conclusion.
If we had the string mit.edu in an email, where the 'm' was full-width
and .edu was operated by an unscrupulous or error-prone registry
operator, cutting and pasting that string into an IDNA-unaware browser
would take the user to the wrong MIT.
And this isn't even limited to characters that are mapped in IDNA2003.
If we had paypal.com in an email, where the first 'a' was Cyrillic and
the .com operator was unscrupulous/error-prone, the user would be
taken to the wrong Paypal.
Since MSIE 7 and Firefox enjoy large market shares, we are going to
see more and more strings with characters that are mapped by IDNA2003,
whether those characters are non-ASCII dots, non-ASCII upper-case or
full-width. So instead of removing these mappings from IDNA and making
them less visible to the developers that need to be warned about these
issues, the mappings should be included in IDNA200X, either in the
protocol spec or as a normative reference from the protocol spec. If
there is no reference to the mapping spec, or only an informative one,
we run the risk of some developers not seeing the warnings.
On Dec 8, 2007 7:40 AM, YAO Jiankang <yaojk at cnnic.cn> wrote:
> ----- Original Message -----
> From: "John C Klensin" <klensin at jck.com>
> To: "Vint Cerf" <vint at google.com>
> Cc: "Yangwoo Ko" <newcat at icu.ac.kr>; "YAO Jiankang" <yaojk at cnnic.cn>; <idna-update at alvestrand.no>; <fujiwara at jprs.co.jp>
> Sent: Saturday, December 08, 2007 10:53 PM
> Subject: Re: Standards and localization (was Dot-mapping)
> > Vint,
> > Sorry. Yes, you are correct. I changed the example a couple of
> > times because I was thinking about trying to make an additional
> > point, then decided against that and forgot to change the
> > parsing component parts of the examples.
> > john
> > --On Saturday, 08 December, 2007 09:36 -0500 Vint Cerf
> > <vint at google.com> wrote:
> >> john,
> >> I think there might have been an error in your example.
> >> I would have thought that the non-IDNA browser which thinks
> >> "." is the separator and does not know that "?" is intended
> >> to be a separator would parse the underlined string below
> >> into:
> >> "www" "xn--0xaat?example" and "com"
> >> your point is still correctly made - just the parsing looked
> >> wrong.
> >> vint
> >> On Dec 8, 2007, at 8:15 AM, John C Klensin wrote:
> >>> http://www.xn--0xaat?example.com/
> >>> I copy that out and paste it into my browser, which we are
> >>> still assuming is not IDNA-aware.
> Dear John,
> Thans a lot for your good example.
> At first, we must be sure that the domain "xn--0xaat?example.com" is a IDN since it includes the non-ascii character.
> at second ,
> RFC3490 said " Whenever a domain name is put into an IDN-unaware domain name slot
> (see section 2), it MUST contain only ASCII characters. "
> Your browser in your example is an IDN-unaware domain name slot.
> "I copy that out and paste it into my browser" is trying to put the IDN into an IDN-unaware domain name slot.
> This is not allowed by RFC3490.
> So you can not do so by puting IDN into an IDN-unaware domain name slot.
> It violates the requirment of RFC3490.
> if you put IDN into an IDN-unaware domain name slot, I am sure that it will cause some problems.
> YAO Jiankang
> >>>Because the browser is not
> >>> IDNA-aware, the domain name is parsed into
> >>> "www?xn--0xaat", "example" and "com"
> if you put IDN into an IDN-unaware domain name slot, you violate the RFC3490. so you can not do so.
> > _______________________________________________
> > Idna-update mailing list
> > Idna-update at alvestrand.no
> > http://www.alvestrand.no/mailman/listinfo/idna-update
> Idna-update mailing list
> Idna-update at alvestrand.no
More information about the Idna-update