[idn] Re: Unicode and Security

[Asmus Freytag <asmusf@ix.netcom.com>]

At 01:21 PM 2/7/02 -0500, Elliotte Rusty Harold wrote:

>I'm not sure Unicode can be fixed at this point. The flaws may be too
>deeply embedded. The real solution may involve waiting until companies
and
>people start losing significant amounts of money as a result of the
flaws
>in Unicode, and then throwing it away and replacing it with something
else.

This sounds nice and dramatic, but misses the point that the kinds of
issues you highlighted are absolutely common to *all* character sets
containing Latin and Greek, or Latin and Cyrillic characters, suggesting
that you are simply grandstanding here, instead of trying to find real
solutions to your problem.

Earlier, you accused Unicode of being in denial about security issues:
It
is you who is in denial about some underlying realities, among which is
that there are security issues that cannot be "fixed" by designing a
'better' character set. You remind me of the people who keep on
designing
perpetual motion devices, even after the laws of thermodynamics proved
the
futility of such efforts.

If you are interested in advancing security you would stop from barking
up
this blind alley and focus your energy on attacking the problems with
other
means. Plenty of suggestions have been made in this space over the last
few
days. Some of all of these should be explored.  But if we learned
anything
useful in this exchange, it is that no security scheme should be
designed
so that it is dependent on the character encoding as primary defense
against spoofing. Doing so would burden the character encoding with a
task
it will never be capable of fulfilling, since it would mean seriously
compromising support for the tasks for which it was created in the first
place.

A./