Re: [apps-discuss] apps-review team review for draft-ietf-eai-rfc5335bis-07

Claudio Allocchio <> Thu, 20 January 2011 17:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 40B183A7037 for <>; Thu, 20 Jan 2011 09:02:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[AWL=0.049, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Q5smz7q9l7o5 for <>; Thu, 20 Jan 2011 09:02:11 -0800 (PST)
Received: from ( [IPv6:2001:760:0:158::29]) by (Postfix) with ESMTP id 896063A6FDE for <>; Thu, 20 Jan 2011 09:02:10 -0800 (PST)
Received: from ( []) (authenticated bits=0) by (8.14.4/8.14.4) with ESMTP id p0KH4hRb010915 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Jan 2011 18:04:43 +0100 (CET)
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 p0KH4hRb010915
DomainKey-Signature: a=rsa-sha1; s=mail;; c=simple; q=dns; b=qSkhwHU1ypuHAcICZ6iwHmb797Z7YWKd0Sy1/f6NsG6cwqN47ycNwQDgR8qJxhunV URFU0PXV5yMqqvlKzIgFHQObPlgAGKM35yiXEg24Vu3mXPagPORWwiY0dBe2PHzxeN3 X2YOC0R/Pet22GX9ed3UoLyavfWJCsRc8RXxmlM=
Date: Thu, 20 Jan 2011 18:04:42 +0100
From: Claudio Allocchio <>
To: "Murray S. Kucherawy" <>
In-Reply-To: <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: "" <>, John C Klensin <>, "" <>, "" <>
Subject: Re: [apps-discuss] apps-review team review for draft-ietf-eai-rfc5335bis-07
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Jan 2011 17:02:12 -0000

> The Security Considerations section should discuss the problem of having 
> UTF-8 aware transport (i.e. MTAs) coupled with UTF-8 unaware user agents 
> (e.g. readers) as well as filters and the like.  The author talks about 
> needing bigger buffers, but I think that's far less interesting than the 
> possible semantic implications.  I consider this a major issue, and so I 
> would expect this discussion to be non-trivial in size, and include some 
> admonishment about not upgrading a delivery MTA to support UTF-8 message 
> headers until the entire infrastructure it serves has already been 
> verified to handle it.  This might be discussed in one of the other EAI 
> documents already; if it is, this one should contain a reference to 
> that.

a late (never too late!) +1

> On a related note, Security Considerations should also talk about abuse 
> mechanisms.  If, for example, there are lots of ways of using UTF-8 to 
> represent something equivalent or similar to a particular displayed 
> character or group of characters (all the variants of "e" in French, 
> using accents, for example), then filtering systems can be bypassed by 
> using one of the variants to avoid detection while still reaching the 
> end user with largely the same original effect.  This too might be 
> discussed elsewhere in general, in which case a reference to that 
> discussion can be left here.

and another +1 here!

Claudio Allocchio             G   A   R   R
                         Senior Technical Officer
tel: +39 040 3758523      Italian Academic and       G=Claudio; S=Allocchio;
fax: +39 040 3758565        Research Network         P=garr; A=garr; C=it;

            PGP Key: