Unicode 7.0.0, (combining) Hamza Above, and normalization

Shawn Steele Shawn.Steele at microsoft.com
Fri Aug 8 02:36:24 CEST 2014

> Well, maybe and maybe not.  Some of the users of this protocol are naïve users of it -- they don't even know they're using a protocol.
> It might be (I don't yet have an opinion) that doing things in a way that is less likely to lead to attacks against those people is worth making > either the protocol or the protocol-implementation advice more complicated.  Presumably, implementers have a greater reason to become > familiar with the picky exceptional cases.

I think it's dangerous to assume that fixing this lessens any risk of any attacks.  It was mentioned in another mail that if Unicode had picked a different name this may not have even been noticed.  There are likely many similar-looking things that fit in a similar bucket and have escaped notice.  IMO thinking that anything is more secure by clamping down on this one character is a bit naïve.


More information about the Idna-update mailing list