IETF Logo Mail Archive

[idn] Re: stringprep: PRI #29

Simon Josefsson <jas@extundo.com> Sun, 20 March 2005 07:57 UTC

Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA23645 for <idn-archive@lists.ietf.org>; Sun, 20 Mar 2005 02:57:21 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.44 (FreeBSD)) id 1DCvDw-000MqU-Ee for idn-data@psg.com; Sun, 20 Mar 2005 07:51:48 +0000
Received: from [217.13.230.178] (helo=yxa.extundo.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.44 (FreeBSD)) id 1DCvDt-000Mne-P0 for idn@ops.ietf.org; Sun, 20 Mar 2005 07:51:46 +0000
Received: from latte.josefsson.org (c494102a.s-bi.bostream.se [217.215.27.65]) (authenticated bits=0) by yxa.extundo.com (8.13.3/8.13.3/Debian-6) with ESMTP id j2K7pb4Y024541 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 20 Mar 2005 08:51:38 +0100
From: Simon Josefsson <jas@extundo.com>
To: Erik van der Poel <erik@vanderpoel.org>
Cc: idn@ops.ietf.org
Subject: [idn] Re: stringprep: PRI #29
References: <42322CE2.4040509@vanderpoel.org> <4232B2FD.1080104@vanderpoel.org> <4232BA56.5090001@vanderpoel.org> <iluk6odazwb.fsf@latte.josefsson.org> <00e801c528a8$99ad37d0$72703009@sanjose.ibm.com> <ilull8qb5n5.fsf@latte.josefsson.org> <42367B63.6080300@vanderpoel.org> <4237450A.9010901@v.loewis.de> <423754F3.50405@vanderpoel.org> <ilumzt47ezc.fsf@latte.josefsson.org> <20050316091126.GA24254~@nicemice.net> <iluzmx36h6t.fsf@latte.josefsson.org> <423CD9DC.5080401@vanderpoel.org>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Blog: http://www.livejournal.com/users/jas4711/
X-Hashcash: 1:21:050320:idn@ops.ietf.org::U1ifJePn35qU4kOX:7C3G
X-Hashcash: 1:21:050320:erik@vanderpoel.org::UPmrvz3wt9GCc5Oq:CO23
Date: Sun, 20 Mar 2005 08:51:16 +0100
In-Reply-To: <423CD9DC.5080401@vanderpoel.org> (Erik van der Poel's message of "Sat, 19 Mar 2005 18:03:08 -0800")
Message-ID: <ilur7iaycuj.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on psg.com
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.1
Sender: owner-idn@ops.ietf.org
Precedence: bulk

Erik van der Poel <erik@vanderpoel.org> writes:

>> A third way, which is what I am deploying, is to use the Unicode 3.2
>> NFKC together with a filter to reject the PR-29 problem sequences.
>> This is in line with the RFC's, it solves problems related to PR-29
>> problem sequences, and is simple to implement.
>
> I don't think this is in line with the RFCs. You are rejecting sequences 
> that are not rejected by the RFCs.

I don't see how RFCs can force an implementation to accept strings
that may cause security problems.  My SASL implementation reject the
PR-29 sequences, as will my Kerberos implementation, and I suggest
that everyone implement similar precautions.

Until this problem is addressed in an update of RFC 3454, rejecting
the problem sequences appear to be the most conservative approach to
me.  What would you propose to do instead?

If the situation is as you claim, that there are multiple StringPrep
implementations out there that implement NFKC in different ways, it
seems hazardous to permit the strings through when you don't know how
other components will behave.  This is especially true if you perform
authentication or authorization on an internationalized authentication
or authorization identity, and then pass it on to another component
that may run another NFKC implementation on the string, before it is
used by a component that assume the identity has been properly
authenticated or authorized earlier.

> More importantly, when you continue to ship your implementation as is, 
> more and more installations of your popular library will occur, making 
> it more difficult for the world to adjust if and when the affected types 
> of character sequences are introduced, either with the current 
> characters or new characters.

The problem sequences doesn't normally occur in the wild, at least
that is what PR-29 says, so it is unlikely to ever be a practical
problem.  It remains a security concern though, and that concern won't
go away until the spec's are updated, regardless of what I do in my
implementation.

> You are in a position to make a difference. You already have. Please 
> reconsider.

This isn't up to individual implementors.  RFC 3454 need to be updated
to address the problem.  Everyone can submit their own update of RFC
3454 to the IETF and advocate for their proposal.  I don't care
strongly which solution is chosen, if there is a good migration plan
to the new idea.  Meanwhile, implementors will route around the damage
and pick their own solutions.

Regards,
Simon

v2.23.0 | Report a Bug | By Email