Re: [idn] Determining equivalence in Unicode DNS names

["Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>]

I tried sending the attached message on Monday, but it mysteriously
vanished.  Let's see if it gets through this time.

AMC

--- Begin Message ---

• To: idn@ops.ietf.org
• Subject: Re: [idn] Determining equivalence in Unicode DNS names
• From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
• Date: Mon, 14 Jan 2002 23:14:24 +0000
• In-reply-to: <200201141957.g0EJvIe04598@scv1.apple.com>
• References: <200201141957.g0EJvIe04598@scv1.apple.com>
• Reply-to: IETF idn working group <idn@ops.ietf.org>
• User-agent: Mutt/1.3.24i

Stuart Cheshire <cheshire@apple.com> wrote:

> It seems to me that one of the great problems of IDN is one that is
> fundamentally unsolvable: an attempt to determine, once and for all
> time, a single global set of rules for deciding if two strings are
> "equal" or "equivalent".

You're right that we have no hope of defining a single global set of
rules for equivalence of *strings*.  But we don't need that for IDN.
We merely need a single global set of rules for equivalence of domain
labels.  IDNA defines those rules.

> The problem as I see it, right now, is that if a client asks for the
> address record for "www.pépsi.com." (with an accent), and it gets back
> a DNS reply with an answer giving the address for "www.pepsi.com."
> (without an accent), then the client will ignore the answer.

Indeed, because pépsi and pepsi are two distinct labels.  This is like
today, if a client asks for colour.com, then it will ignore a response
telling the address of color.com.  The server needs to answer the
question that was asked, not some other question that it considers
"close enough".

> If a client tries to look up "www.pépsi.com.", and the "com" name
> servers have been configured to treat "pépsi" as equivalent to
> "pepsi", then they return the answer for "pepsi.com.", and in the
> reply they also include a (programatically generated) DNAME record
> which *tells* the client and any intervening caching resolvers that
> these two names are equivalent:

Assuming DNAME is understood by the caches and clients, you could indeed
do that.  But this does not necessarily yield full equivalence between
pepsi.com and pépsi.com.  In the existing (pre-IDN) model, comparison
of two names for equivalence has never required a DNS lookup.  If
someone has visited pepsi.com and then visits a page containing links to
pépsi.com, will those links be colored correctly?  Probably not.  If an
SSL connection is used, and the certificate uses the name pepsi.com, but
the client used pépsi.com, will the SSL library believe that the server
is authentic?  I doubt it.

AMC

--- End Message ---