[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] Re: process

To: Erik van der Poel <erik@vanderpoel.org>
Subject: Re: [idn] Re: process
From: James Seng <james@seng.cc>
Date: Sat, 26 Feb 2005 00:50:44 +0800
Cc: idn@ops.ietf.org, Stephane Bortzmeyer <bortzmeyer@nic.fr>, Doug Ewell <dewell@adelphia.net>
In-reply-to: <421F482B.1060909@vanderpoel.org>
References: <D872CCF059514053ECF8A198@scan.jck.com> <421D8411.9030006@vanderpoel.org> <p06210208be4390618c81@[192.168.0.101]> <421E0D0C.2000309@vanderpoel.org> <p06210202be43c3888991@[192.168.0.101]> <E07CE813AD23B2D95DA0C740@scan.jck.com> <421E30F2.1040408@vanderpoel.org> <0E7F74C71945B923C52211F3@scan.jck.com> <421EA0C9.1010500@vanderpoel.org> <00a401c51af3$7863aae0$030aa8c0@DEWELL> <20050225113725.GA8820@nic.fr> <421F482B.1060909@vanderpoel.org>

FYI, punctuation were also debated extensively back then so it isn't really 'Oh, we just discover this!'.

It's just interesting to see people putting it into action. Does apps needs to be fixed? Yes, absolutely. App developers needs to go read the security consideration of rfc3490 and think about how to implement some solution to reduce the spoofing risk.

but does it warrant changing the existing rfc? I dunno..I havent seen anything that suggest we missed something back then.

-James Seng

On 25-Feb-05, at PM 11:45, Erik van der Poel wrote:

Stephane Bortzmeyer wrote:
The issue has been discussed at length. See
the "Security Considerations" of RFC 3490.
It is true that some of the issues are pointed out by that section, so the registries and application developers have to pay attention. But one might argue that we have recently been discussing a new *class* of homographs. The RFC mentions "multiple scripts" and one and l. These two refer to letters such as Cyrillic small 'a' and digits (the "one"). But the slash homograph recently raised on this list might be considered to be a new class of homograph (punctuation), not specifically indicated in the RFC. Not only is this type of character different from letters and digits, it is arguably even more dangerous than the script-based (Cyrillic) attack, since it can be done in a domain label that is not under the control of the registries. So that first line of defense is not there, and we must rely totally on the apps, and there are many.

One could argue that a new document should be published and widely circulated to warn about this new kind of attack. One of my questions is whether this warning should appear in a new version of the RFC, or in a separate document. Alternatively, it may be decided that this type of homograph is so different and so dangerous that a new version of the protocol that prohibits these characters, with a new ACE prefix, should be created. I don't know.

Also, the "multiple scripts" wording does not specifically cover the all-Cyrillic case. So that part could be tightened up too.
By the way, the RFC's Security section includes the following:
No security issues such as string length increases or new allowed values are introduced by the encoding process or the use of these encoded values, apart from those introduced by the ACE encoding itself.

What does this mean, exactly? Are any new allowed values introduced by the ACE encoding? This part could be clearer.

Also, O and 0 are mentioned, but is this technically correct? I mean, aren't uppercase ASCIIs supposed to be lowercased? I'm sorry if I'm wrong about this part.
Nothing new in the recent announces, just
sensation papers.
Again, I think the slash homograph might be new. Do you have evidence to suggest that it *was* considered by the WG or anybody else?

The Powers Above require that Something should be done
Have you seen any indication of this?
Thanks,
Erik

Follow-Ups:
- Re: [idn] Re: process
  - From: Erik van der Poel <erik@vanderpoel.org>

References:
- Re: [idn] nameprep2 and the slash homograph issue
  - From: John C Klensin <klensin@jck.com>
- [idn] punctuation
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] punctuation
  - From: tedd <tedd@sperling.com>
- Re: [idn] punctuation
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] punctuation
  - From: tedd <tedd@sperling.com>
- Re: [idn] punctuation
  - From: John C Klensin <klensin@jck.com>
- Re: [idn] punctuation
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] punctuation
  - From: John C Klensin <klensin@jck.com>
- [idn] process
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] process
  - From: "Doug Ewell" <dewell@adelphia.net>
- [idn] Re: process
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Re: [idn] Re: process
  - From: Erik van der Poel <erik@vanderpoel.org>

Prev by Date: Re: [idn] Re: process
Next by Date: Re: [idn] process
Previous by thread: Re: [idn] Re: process
Next by thread: Re: [idn] Re: process
Index(es):
- Date
- Thread