Re: [idn] Re: process

[James Seng <james@seng.cc>]

FYI, punctuation were also debated extensively back then so it isn't 
really 'Oh, we just discover this!'.

It's just interesting to see people putting it into action. Does apps 
needs to be fixed? Yes, absolutely. App developers needs to go read the 
security consideration of rfc3490 and think about how to implement some 
solution to reduce the spoofing risk.

but does it warrant changing the existing rfc? I dunno..I havent seen 
anything that suggest we missed something back then.

-James Seng

On 25-Feb-05, at PM 11:45, Erik van der Poel wrote:

> Stephane Bortzmeyer wrote:
>> The issue has been discussed at length. See
>> the "Security Considerations" of RFC 3490.
>
> It is true that some of the issues are pointed out by that section, so 
> the registries and application developers have to pay attention. But 
> one  might argue that we have recently been discussing a new *class* 
> of homographs. The RFC mentions "multiple scripts" and one and l. 
> These two refer to letters such as Cyrillic small 'a' and digits (the 
> "one"). But the slash homograph recently raised on this list might be 
> considered to be a new class of homograph (punctuation), not 
> specifically indicated in the RFC. Not only is this type of character 
> different from letters and digits, it is arguably even more dangerous 
> than the script-based (Cyrillic) attack, since it can be done in a 
> domain label that is not under the control of the registries. So that 
> first line of defense is not there, and we must rely totally on the 
> apps, and there are many.
>
> One could argue that a new document should be published and widely 
> circulated to warn about this new kind of attack. One of my questions 
> is whether this warning should appear in a new version of the RFC, or 
> in a separate document. Alternatively, it may be decided that this 
> type of homograph is so different and so dangerous that a new version 
> of the protocol that prohibits these characters, with a new ACE 
> prefix, should be created. I don't know.
>
> Also, the "multiple scripts" wording does not specifically cover the 
> all-Cyrillic case. So that part could be tightened up too.
>
> By the way, the RFC's Security section includes the following:
>
>    No security issues such as string length increases or new
>    allowed values are introduced by the encoding process or the use of
>    these encoded values, apart from those introduced by the ACE 
> encoding
>    itself.
>
> What does this mean, exactly? Are any new allowed values introduced by 
> the ACE encoding? This part could be clearer.
>
> Also, O and 0 are mentioned, but is this technically correct? I mean, 
> aren't uppercase ASCIIs supposed to be lowercased? I'm sorry if I'm 
> wrong about this part.
>
>> Nothing new in the recent announces, just
>> sensation papers.
>
> Again, I think the slash homograph might be new. Do you have evidence 
> to suggest that it *was* considered by the WG or anybody else?
>
>> The Powers Above require that Something should be done
>
> Have you seen any indication of this?
>
> Thanks,
>
> Erik
>