[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] IDNA section 3.1 requirement 3

To: IETF idn working group <idn@ops.ietf.org>
Subject: Re: [idn] IDNA section 3.1 requirement 3
From: Paul Hoffman <phoffman@imc.org>
Date: Wed, 16 Mar 2005 15:31:20 -0800
In-reply-to: <20050316221337.GB25580~@nicemice.net>
References: <20050316221337.GB25580~@nicemice.net>

At 10:13 PM +0000 3/16/05, Adam M. Costello wrote:

Consider a domain name containing a slash-homograph.

As it stands, IDNA section 3.1 requirement 3 tells applications that
they "SHOULD" display the non-ACE form.  The security considerations
section, much later, "suggests" that applications provide visual
indications of various anomalies (from which one could extrapolate that
the slash-homograph would benefit from a visual indication).


Right.

I think we've seen that these security concerns need to be less buried,

Fair point, but it's not like that if we had put them in section 3.1, all browser makers would have done anything about them. From the testing we did a while ago, it's clear that a fair number of browser makers didn't even read the normative parts of the spec.

that "visual indications" are too burdensome on implementations,

Fully disagree. We haven't seen anyone actually try visual indications, and some have said that they are working on them. They may not want to do them, but most of them didn't want to do IDNs either.

 and
that in some cases (like this one) the recommendation to display the
non-ACE form ought to be withdrawn, or even reversed (that is, recommend
the ASCII form).

Question: when faced with an incomprehensible domain name with no visual indications, do you think that typical users will know what to do, or even what to be cautious of? Hint: think about what typical users do with SSL certificate warning dialogs.

We're trying to deal with a security issue: obscuring it won't make it useful to users, nor will it make them cautious, just confused.

      d) If the non-ACE form contains any character outside Unicode
         categories L (letter), N (number), and M (mark), other than
         U+002D hyphen-minus, the ACE form SHOULD be shown.

This is quite a reasonable attempt at picking good characters. It won't eliminate homographs by any matter of means, but it is a reasonable narrowing.

Thoughts?

At first glance, it is a reasonable way to choose between unadulterated Unicode and ACE display. However, it is based on a very unproven assumption, namely that there isn't any other visual assistance that we can suggest.

Adam: could you think more about it and see how it would look if thought visual assistance was an option?

--Paul Hoffman, Director
--Internet Mail Consortium

Follow-Ups:
- Re: [idn] IDNA section 3.1 requirement 3
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>

References:
- [idn] IDNA section 3.1 requirement 3
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>

Prev by Date: [idn] IDNA section 3.1 requirement 3
Next by Date: Re: [idn] IDNA section 3.1 requirement 3
Previous by thread: [idn] IDNA section 3.1 requirement 3
Next by thread: Re: [idn] IDNA section 3.1 requirement 3
Index(es):
- Date
- Thread