[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[idn] Re: stringprep: PRI #29

To: Erik van der Poel <erik@vanderpoel.org>
Subject: [idn] Re: stringprep: PRI #29
From: Simon Josefsson <jas@extundo.com>
Date: Sun, 20 Mar 2005 08:51:16 +0100
Blog: http://www.livejournal.com/users/jas4711/
Cc: idn@ops.ietf.org
In-reply-to: <423CD9DC.5080401@vanderpoel.org> (Erik van der Poel's message of "Sat, 19 Mar 2005 18:03:08 -0800")
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <42322CE2.4040509@vanderpoel.org> <4232B2FD.1080104@vanderpoel.org> <4232BA56.5090001@vanderpoel.org> <iluk6odazwb.fsf@latte.josefsson.org> <00e801c528a8$99ad37d0$72703009@sanjose.ibm.com> <ilull8qb5n5.fsf@latte.josefsson.org> <42367B63.6080300@vanderpoel.org> <4237450A.9010901@v.loewis.de> <423754F3.50405@vanderpoel.org> <ilumzt47ezc.fsf@latte.josefsson.org> <20050316091126.GA24254~@nicemice.net> <iluzmx36h6t.fsf@latte.josefsson.org> <423CD9DC.5080401@vanderpoel.org>
User-agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux)

Erik van der Poel <erik@vanderpoel.org> writes:

>> A third way, which is what I am deploying, is to use the Unicode 3.2
>> NFKC together with a filter to reject the PR-29 problem sequences.
>> This is in line with the RFC's, it solves problems related to PR-29
>> problem sequences, and is simple to implement.
>
> I don't think this is in line with the RFCs. You are rejecting sequences 
> that are not rejected by the RFCs.

I don't see how RFCs can force an implementation to accept strings
that may cause security problems.  My SASL implementation reject the
PR-29 sequences, as will my Kerberos implementation, and I suggest
that everyone implement similar precautions.

Until this problem is addressed in an update of RFC 3454, rejecting
the problem sequences appear to be the most conservative approach to
me.  What would you propose to do instead?

If the situation is as you claim, that there are multiple StringPrep
implementations out there that implement NFKC in different ways, it
seems hazardous to permit the strings through when you don't know how
other components will behave.  This is especially true if you perform
authentication or authorization on an internationalized authentication
or authorization identity, and then pass it on to another component
that may run another NFKC implementation on the string, before it is
used by a component that assume the identity has been properly
authenticated or authorized earlier.

> More importantly, when you continue to ship your implementation as is, 
> more and more installations of your popular library will occur, making 
> it more difficult for the world to adjust if and when the affected types 
> of character sequences are introduced, either with the current 
> characters or new characters.

The problem sequences doesn't normally occur in the wild, at least
that is what PR-29 says, so it is unlikely to ever be a practical
problem.  It remains a security concern though, and that concern won't
go away until the spec's are updated, regardless of what I do in my
implementation.

> You are in a position to make a difference. You already have. Please 
> reconsider.

This isn't up to individual implementors.  RFC 3454 need to be updated
to address the problem.  Everyone can submit their own update of RFC
3454 to the IETF and advocate for their proposal.  I don't care
strongly which solution is chosen, if there is a good migration plan
to the new idea.  Meanwhile, implementors will route around the damage
and pick their own solutions.

Regards,
Simon

Follow-Ups:
- [idn] Re: stringprep: PRI #29
  - From: Erik van der Poel <erik@vanderpoel.org>

References:
- [idn] Unicode categories
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] Re: Unicode categories
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] stability
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] Re: stability
  - From: Simon Josefsson <jas@extundo.com>
- Re: [idn] Re: stability
  - From: "Mark Davis" <mark.davis@jtcsv.com>
- [idn] Re: stability
  - From: Simon Josefsson <jas@extundo.com>
- Re: [idn] Re: stability
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] Re: stability
  - From: "Martin v. Löwis" <martin@v.loewis.de>
- Re: [idn] Re: stability
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] Re: stability
  - From: Simon Josefsson <jas@extundo.com>
- Re: [idn] Re: stability
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- [idn] Re: stability
  - From: Simon Josefsson <jas@extundo.com>
- [idn] stringprep: PRI #29
  - From: Erik van der Poel <erik@vanderpoel.org>

Prev by Date: Re: [idn] stringprep: PRI #29
Next by Date: [idn] Re: stringprep: PRI #29
Previous by thread: Re: [idn] stringprep: PRI #29
Next by thread: [idn] Re: stringprep: PRI #29
Index(es):
- Date
- Thread