[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] Re: process

To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Subject: Re: [idn] Re: process
From: Erik van der Poel <erik@vanderpoel.org>
Date: Fri, 25 Feb 2005 07:45:47 -0800
Cc: Doug Ewell <dewell@adelphia.net>, idn@ops.ietf.org
In-reply-to: <20050225113725.GA8820@nic.fr>
References: <D872CCF059514053ECF8A198@scan.jck.com> <421D8411.9030006@vanderpoel.org> <p06210208be4390618c81@[192.168.0.101]> <421E0D0C.2000309@vanderpoel.org> <p06210202be43c3888991@[192.168.0.101]> <E07CE813AD23B2D95DA0C740@scan.jck.com> <421E30F2.1040408@vanderpoel.org> <0E7F74C71945B923C52211F3@scan.jck.com> <421EA0C9.1010500@vanderpoel.org> <00a401c51af3$7863aae0$030aa8c0@DEWELL> <20050225113725.GA8820@nic.fr>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Stephane Bortzmeyer wrote:

The issue has been discussed at length. See
the "Security Considerations" of RFC 3490.

It is true that some of the issues are pointed out by that section, so the registries and application developers have to pay attention. But one might argue that we have recently been discussing a new *class* of homographs. The RFC mentions "multiple scripts" and one and l. These two refer to letters such as Cyrillic small 'a' and digits (the "one"). But the slash homograph recently raised on this list might be considered to be a new class of homograph (punctuation), not specifically indicated in the RFC. Not only is this type of character different from letters and digits, it is arguably even more dangerous than the script-based (Cyrillic) attack, since it can be done in a domain label that is not under the control of the registries. So that first line of defense is not there, and we must rely totally on the apps, and there are many.

One could argue that a new document should be published and widely circulated to warn about this new kind of attack. One of my questions is whether this warning should appear in a new version of the RFC, or in a separate document. Alternatively, it may be decided that this type of homograph is so different and so dangerous that a new version of the protocol that prohibits these characters, with a new ACE prefix, should be created. I don't know.

Also, the "multiple scripts" wording does not specifically cover the all-Cyrillic case. So that part could be tightened up too.

By the way, the RFC's Security section includes the following:

   No security issues such as string length increases or new
   allowed values are introduced by the encoding process or the use of
   these encoded values, apart from those introduced by the ACE encoding
   itself.

What does this mean, exactly? Are any new allowed values introduced by the ACE encoding? This part could be clearer.

Also, O and 0 are mentioned, but is this technically correct? I mean, aren't uppercase ASCIIs supposed to be lowercased? I'm sorry if I'm wrong about this part.

Nothing new in the recent announces, just
sensation papers.

Again, I think the slash homograph might be new. Do you have evidence to suggest that it *was* considered by the WG or anybody else?

The Powers Above require that Something should be done


Have you seen any indication of this?

Thanks,

Erik

Follow-Ups:
- Re: [idn] Re: process
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] Re: process
  - From: Jaap Akkerhuis <jaap@NLnetLabs.nl>
- Re: [idn] Re: process
  - From: James Seng <james@seng.cc>

References:
- Re: [idn] nameprep2 and the slash homograph issue
  - From: John C Klensin <klensin@jck.com>
- [idn] punctuation
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] punctuation
  - From: tedd <tedd@sperling.com>
- Re: [idn] punctuation
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] punctuation
  - From: tedd <tedd@sperling.com>
- Re: [idn] punctuation
  - From: John C Klensin <klensin@jck.com>
- Re: [idn] punctuation
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] punctuation
  - From: John C Klensin <klensin@jck.com>
- [idn] process
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] process
  - From: "Doug Ewell" <dewell@adelphia.net>
- [idn] Re: process
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>

Prev by Date: [idn] Re: process
Next by Date: Re: [idn] Re: process
Previous by thread: [idn] Re: process
Next by thread: Re: [idn] Re: process
Index(es):
- Date
- Thread