wrt IDNA2003->IDNA2008 transitionn (was: IDN processing-related, security considerations for draft-ietf-websec-strict-transport-sec)
Shawn Steele
Shawn.Steele at microsoft.com
Fri Oct 7 21:46:23 CEST 2011
> But IDNA2008 wasn't done because we didn't have anything else to do; it was done because people saw some real deficiencies of IDNA2003, and wanted to address those.
Because their names didn't "look right". IDNA2008 confused lookup/matching with display. IMO, the problem being "fixed" that UTS46 works around is primarily a display issue.
There's still a "display" and "matching" issue. For example, German can have multiple spellings of a name, like oe instead of o-umlaut.
Because IDNA2008 and IDNA2003 coexist, then implementations are forced into a security nightmare where users can end up at the wrong server, either by using a newer or older browser/OS. That is terribly scary for security, particularly since the alternate name(s) aren't bundled or prohibited by default.
-Shawn
More information about the Idna-update
mailing list