[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[idn] Re: stringprep: PRI #29

To: Erik van der Poel <erik@vanderpoel.org>
Subject: [idn] Re: stringprep: PRI #29
From: Simon Josefsson <jas@extundo.com>
Date: Sun, 20 Mar 2005 22:12:45 +0100
Blog: http://www.livejournal.com/users/jas4711/
Cc: idn@ops.ietf.org
In-reply-to: <423DB883.1020408@vanderpoel.org> (Erik van der Poel's message of "Sun, 20 Mar 2005 09:53:07 -0800")
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <42322CE2.4040509@vanderpoel.org> <4232B2FD.1080104@vanderpoel.org> <4232BA56.5090001@vanderpoel.org> <iluk6odazwb.fsf@latte.josefsson.org> <00e801c528a8$99ad37d0$72703009@sanjose.ibm.com> <ilull8qb5n5.fsf@latte.josefsson.org> <42367B63.6080300@vanderpoel.org> <4237450A.9010901@v.loewis.de> <423754F3.50405@vanderpoel.org> <ilumzt47ezc.fsf@latte.josefsson.org> <20050316091126.GA24254~@nicemice.net> <iluzmx36h6t.fsf@latte.josefsson.org> <423CD9DC.5080401@vanderpoel.org> <ilur7iaycuj.fsf@latte.josefsson.org> <423DB883.1020408@vanderpoel.org>
User-agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux)

Erik van der Poel <erik@vanderpoel.org> writes:

>> My SASL implementation reject the
>> PR-29 sequences, as will my Kerberos implementation, and I suggest
>> that everyone implement similar precautions.
>
> I haven't been involved with this issue for very long. Would you say 
> that a lot of the implementors have already heard of your approach, and 
> that they are either using the same approach or considering it?

I haven't seen much evidence of that.  The SASL and Kerberos specs
that use StringPrep haven't been published yet.  Few, if any,
implementors are speaking about this issue in those WG's.  Presumably
the specs are pushed out before the ideas have been implemented and
tested in practice.

>> Until this problem is addressed in an update of RFC 3454, rejecting
>> the problem sequences appear to be the most conservative approach to
>> me.  What would you propose to do instead?
>
> Well, my feeling is that it will take too long to publish a new version 
> of the Stringprep RFC, and that implementors should get together to try 
> to reach a rough consensus and make changes before the new RFC is 
> published. PRI #29 has been published, with a fair amount of info for 
> the implementors to make a decision.

I think it may be better to try and reach that consensus within the
IETF.  The expertise on this are supposed to be here.

>> The problem sequences doesn't normally occur in the wild, at least
>> that is what PR-29 says, so it is unlikely to ever be a practical
>> problem.  It remains a security concern though, and that concern won't
>> go away until the spec's are updated, regardless of what I do in my
>> implementation.
>
> Why would a mere spec update make the concern go away? Didn't you say 
> that the differing implementations were the concern?

Right.  I was assuming implementors will implement a sanely updated
spec, and that this in combination would solve the problem.

>> This isn't up to individual implementors.  RFC 3454 need to be updated
>> to address the problem.  Everyone can submit their own update of RFC
>> 3454 to the IETF and advocate for their proposal.  I don't care
>> strongly which solution is chosen, if there is a good migration plan
>> to the new idea.  Meanwhile, implementors will route around the damage
>> and pick their own solutions.
>
> OK, let's suppose just for the moment, that we decide to have Stringprep 
> point to version 24 or higher of UAX #15. Can you think of a migration 
> plan that would satisfy ultra-conservative implementors like yourself?

The spec could suggest that all problem sequences are to be rejected.

> Or, if you wish, suppose that we do _not_ have Stringprep point to a 
> newer version of UAX #15. Can you think of a good migration plan for 
> that? (Given that some implementations implement UAX #15 differently.)

Here too, the spec could suggest to reject all problem sequences.  The
NFKC implementations could continue to work as the Unicode 3.2
algorithm description suggest, but since the problem sequences are
rejected, you wouldn't notice the difference in practice.

Assuming PR#29 is correct on that these strings doesn't occur
naturally, rejecting them doesn't appear to have any interoperability
consequences.

Regards,
Simon

Follow-Ups:
- Re: [idn] Re: stringprep: PRI #29
  - From: Erik van der Poel <erik@vanderpoel.org>

References:
- [idn] Unicode categories
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] Re: Unicode categories
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] stability
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] Re: stability
  - From: Simon Josefsson <jas@extundo.com>
- Re: [idn] Re: stability
  - From: "Mark Davis" <mark.davis@jtcsv.com>
- [idn] Re: stability
  - From: Simon Josefsson <jas@extundo.com>
- Re: [idn] Re: stability
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] Re: stability
  - From: "Martin v. Löwis" <martin@v.loewis.de>
- Re: [idn] Re: stability
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] Re: stability
  - From: Simon Josefsson <jas@extundo.com>
- Re: [idn] Re: stability
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- [idn] Re: stability
  - From: Simon Josefsson <jas@extundo.com>
- [idn] stringprep: PRI #29
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] Re: stringprep: PRI #29
  - From: Simon Josefsson <jas@extundo.com>
- [idn] Re: stringprep: PRI #29
  - From: Erik van der Poel <erik@vanderpoel.org>

Prev by Date: [idn] Re: stringprep: PRI #29
Next by Date: Re: [idn] Re: stringprep: PRI #29
Previous by thread: [idn] Re: stringprep: PRI #29
Next by thread: Re: [idn] Re: stringprep: PRI #29
Index(es):
- Date
- Thread