Unicode 7.0.0, (combining) Hamza Above, and normalization

[Andrew Sullivan]

On Fri, Aug 08, 2014 at 12:36:24AM +0000, Shawn Steele wrote:
> 
> I think it's dangerous to assume that fixing this lessens any risk
> of any attacks. 

In my opinion, this conversation would go better if we each attended
to making the most modest claims possible.  I don't think anyone is
arguing that addressing this particular issue is going to solve all
problems.  I'm not even sure that what is needed is a protocol change;
maybe what is actually needed is advice for IDNA zone operators.  At
the same time, it would appear to be self-evident that, if one
addressed this issue completely, it would foil attacks using the
particular code points in question.

> It was mentioned in another mail that if Unicode
> had picked a different name this may not have even been noticed.

Yes; and frankly, that is why we are having a discussion about the
topic.  We developed IDNA2008 with a particular understanding of the
consequences of the normalization and stability rules.  It would
appear that at least some of us had the wrong understanding, and the
implications of the actual rules are different to what we'd believed.
That raises the question of whether the fundamental cross-versioning
assumption was right.  In other words, with this new bit of
information, it might be that the entire "inclusion" approach is
riskier than previously thought, and that we need to recalibrate our
risk understanding (and then decide whether the risk is worth the
reward).

This has, note, not just implications for IDNA2008.  We have a whole
working group (PRECIS) that is busy attempting to use the same
strategy in a generalized way for other protocols.  It hasn't shipped
yet, but it's gone to the IESG.  So we can't just shrug our shoulders.

> There are likely many similar-looking things that fit in a similar
> bucket and have escaped notice.

All the more reason to concern ourselves with it, no?

Best regards,

A
-- 
Andrew Sullivan
ajs at anvilwalrusden.com