[idn] Re: CDNC Final Comments on Last call of IDN drafts

[Simon Josefsson <simon+idn@josefsson.org>]

Dave Crocker <dhc@dcrocker.net> writes:

>>the architecture of IDN defined in the above three documents
>>does not solve the traditional and simplified Chinese character
>>variant problem: it's a half-baked solution for Chinese users.
>
> It has never been a goal of IDN to create equivalence between
> different character sets.

This means IDN is not guaranteed to be secure on non-Unicode systems.
There are alot of non-Unicode systems out there today...

>>That will cause serious delegation problem in the application
>>of Chinese Domain Name.
>
> The problem of equivalence between different character sets exists
> more broadly, so that the IDN situation is merely an example of a
> larger problem.  That problem needs to be solved for the general case.
>
> IDN chose Unicode, so that IDN was not required to invent basic
> technology for representing different character sets.
>
> Similarly, IDN should not invent solutions for equivalence between
> different character sets.
>
> When standards bodies for character sets define such equivalences, and
> when those equivalences gain popularity, it might be appropriate for
> the IDN effort to consider incorporating these new standards.

This isn't an adequate solution IMHO, when the consequences of errors
made by such standard bodies, or conflicts between different standard
bodies, or different interpretations of said standards, or changes
between different versions of those standards, or simply a complete
lack of standardisation in the area (which is the situation today),
may be exploitable for attacking systems on the Internet.

(The details of how to attack systems based on charset equivalence
mapping tables differences, or changes in Unicode decomposition
tables, has been discussed recently on the IDN list.)