wrt IDNA2003->IDNA2008 transitionn (was: IDN processing-related, security considerations for draft-ietf-websec-strict-transport-sec)

Shawn Steele Shawn.Steele at microsoft.com
Fri Oct 7 21:46:23 CEST 2011

>  But IDNA2008 wasn't done because we didn't have anything else to do; it was done because people saw some real deficiencies of IDNA2003, and wanted to address those. 

Because their names didn't "look right".  IDNA2008 confused lookup/matching with display.  IMO, the problem being "fixed" that UTS46 works around is primarily a display issue.

There's still a "display" and "matching" issue.  For example, German can have multiple spellings of a name, like oe instead of o-umlaut.  

Because IDNA2008 and IDNA2003 coexist, then implementations are forced into a security nightmare where users can end up at the wrong server, either by using a newer or older browser/OS.  That is terribly scary for security, particularly since the alternate name(s) aren't bundled or prohibited by default.


More information about the Idna-update mailing list