[idn] Re: stringprep: PRI #29
Simon Josefsson <jas@extundo.com> Sun, 20 March 2005 21:17 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA23271 for <idn-archive@lists.ietf.org>; Sun, 20 Mar 2005 16:17:48 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.44 (FreeBSD)) id 1DD7jc-000OIv-Ie for idn-data@psg.com; Sun, 20 Mar 2005 21:13:20 +0000
Received: from [217.13.230.178] (helo=yxa.extundo.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.44 (FreeBSD)) id 1DD7ja-000OIE-0w for idn@ops.ietf.org; Sun, 20 Mar 2005 21:13:18 +0000
Received: from latte.josefsson.org (c494102a.s-bi.bostream.se [217.215.27.65]) (authenticated bits=0) by yxa.extundo.com (8.13.3/8.13.3/Debian-6) with ESMTP id j2KLD6Kh031188 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 20 Mar 2005 22:13:09 +0100
From: Simon Josefsson <jas@extundo.com>
To: Erik van der Poel <erik@vanderpoel.org>
Cc: idn@ops.ietf.org
Subject: [idn] Re: stringprep: PRI #29
References: <42322CE2.4040509@vanderpoel.org> <4232B2FD.1080104@vanderpoel.org> <4232BA56.5090001@vanderpoel.org> <iluk6odazwb.fsf@latte.josefsson.org> <00e801c528a8$99ad37d0$72703009@sanjose.ibm.com> <ilull8qb5n5.fsf@latte.josefsson.org> <42367B63.6080300@vanderpoel.org> <4237450A.9010901@v.loewis.de> <423754F3.50405@vanderpoel.org> <ilumzt47ezc.fsf@latte.josefsson.org> <20050316091126.GA24254~@nicemice.net> <iluzmx36h6t.fsf@latte.josefsson.org> <423CD9DC.5080401@vanderpoel.org> <ilur7iaycuj.fsf@latte.josefsson.org> <423DB883.1020408@vanderpoel.org>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Blog: http://www.livejournal.com/users/jas4711/
X-Hashcash: 1:21:050320:idn@ops.ietf.org::PNP5IcTx4SIAEq8Z:3YBg
X-Hashcash: 1:21:050320:erik@vanderpoel.org::BxrFa9+POEYju/hQ:4hnA
Date: Sun, 20 Mar 2005 22:12:45 +0100
In-Reply-To: <423DB883.1020408@vanderpoel.org> (Erik van der Poel's message of "Sun, 20 Mar 2005 09:53:07 -0800")
Message-ID: <iluis3mxbqq.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on psg.com
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.1
Sender: owner-idn@ops.ietf.org
Precedence: bulk
Erik van der Poel <erik@vanderpoel.org> writes: >> My SASL implementation reject the >> PR-29 sequences, as will my Kerberos implementation, and I suggest >> that everyone implement similar precautions. > > I haven't been involved with this issue for very long. Would you say > that a lot of the implementors have already heard of your approach, and > that they are either using the same approach or considering it? I haven't seen much evidence of that. The SASL and Kerberos specs that use StringPrep haven't been published yet. Few, if any, implementors are speaking about this issue in those WG's. Presumably the specs are pushed out before the ideas have been implemented and tested in practice. >> Until this problem is addressed in an update of RFC 3454, rejecting >> the problem sequences appear to be the most conservative approach to >> me. What would you propose to do instead? > > Well, my feeling is that it will take too long to publish a new version > of the Stringprep RFC, and that implementors should get together to try > to reach a rough consensus and make changes before the new RFC is > published. PRI #29 has been published, with a fair amount of info for > the implementors to make a decision. I think it may be better to try and reach that consensus within the IETF. The expertise on this are supposed to be here. >> The problem sequences doesn't normally occur in the wild, at least >> that is what PR-29 says, so it is unlikely to ever be a practical >> problem. It remains a security concern though, and that concern won't >> go away until the spec's are updated, regardless of what I do in my >> implementation. > > Why would a mere spec update make the concern go away? Didn't you say > that the differing implementations were the concern? Right. I was assuming implementors will implement a sanely updated spec, and that this in combination would solve the problem. >> This isn't up to individual implementors. RFC 3454 need to be updated >> to address the problem. Everyone can submit their own update of RFC >> 3454 to the IETF and advocate for their proposal. I don't care >> strongly which solution is chosen, if there is a good migration plan >> to the new idea. Meanwhile, implementors will route around the damage >> and pick their own solutions. > > OK, let's suppose just for the moment, that we decide to have Stringprep > point to version 24 or higher of UAX #15. Can you think of a migration > plan that would satisfy ultra-conservative implementors like yourself? The spec could suggest that all problem sequences are to be rejected. > Or, if you wish, suppose that we do _not_ have Stringprep point to a > newer version of UAX #15. Can you think of a good migration plan for > that? (Given that some implementations implement UAX #15 differently.) Here too, the spec could suggest to reject all problem sequences. The NFKC implementations could continue to work as the Unicode 3.2 algorithm description suggest, but since the problem sequences are rejected, you wouldn't notice the difference in practice. Assuming PR#29 is correct on that these strings doesn't occur naturally, rejecting them doesn't appear to have any interoperability consequences. Regards, Simon
- [idn] related work Erik van der Poel
- [idn] Unicode categories Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue JFC (Jefsey) Morfin
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue John C Klensin
- Re: [idn] nameprep2 and the slash homograph issue Adam M. Costello
- Re: [idn] something a little lighter for the week… Doug Ewell
- Re: [idn] stability Erik van der Poel
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: process Adam M. Costello
- Re: [idn] punctuation John C Klensin
- Re: [idn] Re: stability JFC (Jefsey) Morfin
- Re: [idn] Re: character tables Gervase Markham
- Re: [idn] stringprep: PRI #29 Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Gervase Markham
- Re: [idn] Re: stability Erik van der Poel
- Re: [idn] process Paul Hoffman
- Re: [idn] Re: character tables YAO Jiankang
- Re: [idn] nameprep2 and the slash homograph issue JFC (Jefsey) Morfin
- Re: [idn] nameprep2 and the slash homograph issue Adam M. Costello
- Re: [idn] punctuation John C Klensin
- Re: [idn] punctuation tedd
- Re: [idn] Re: character tables JFC (Jefsey) Morfin
- Re: [idn] punctuation Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Gervase Markham
- Re: [idn] Re: stability Erik van der Poel
- Re: [idn] Re: character tables Adam M. Costello
- [idn] Re: character tables John C Klensin
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: stability JFC (Jefsey) Morfin
- Re: [idn] Re: character tables Paul Hoffman
- Re: [idn] Re: stability Martin v. Löwis
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: stability John C Klensin
- [idn] Re: Unicode categories John C Klensin
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- [idn] character tables Erik van der Poel
- Re: [idn] Re: character tables John C Klensin
- Re: [idn] Re: stability Mark Davis
- Re: [idn] Re: stringprep: PRI #29 Erik van der Poel
- [idn] stability Erik van der Poel
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: dichotomies JFC (Jefsey) Morfin
- Re: [idn] process Adam M. Costello
- Re: [idn] Re: character tables William Tan
- Re: [idn] Re: process James Seng
- [idn] Re: stability Simon Josefsson
- Re: [idn] stability Erik van der Poel
- [idn] Re: stability Martin v. Löwis
- Re: [idn] Re: process Jaap Akkerhuis
- Re: [idn] Re: stringprep: PRI #29 Adam M. Costello
- Re: [idn] punctuation tedd
- [idn] Re: dichotomies Erik van der Poel
- Re: [idn] Re: stability Martin v. Löwis
- Re: [idn] punctuation Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] process JFC (Jefsey) Morfin
- [idn] Re: stability Simon Josefsson
- Re: [idn] nameprep2 and the slash homograph issue JFC (Jefsey) Morfin
- [idn] Re: stringprep: PRI #29 Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Adam M. Costello
- Re: [idn] process John C Klensin
- Re: [idn] Re: Unicode categories Mark Davis
- Re: [idn] process Doug Ewell
- Re: [idn] Re: stability Adam M. Costello
- Re: [idn] process Erik van der Poel
- [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] punctuation tedd
- [idn] punctuation Erik van der Poel
- Re: [idn] Re: stability James Seng
- [idn] Re: stability Simon Josefsson
- [idn] something a little lighter for the weekend Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] something a little lighter for the week… Adam M. Costello
- Re: [idn] process Gervase Markham
- [idn] Re: character tables Cary Karp
- [idn] Mozilla? JFC (Jefsey) Morfin
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] punctuation Erik van der Poel
- [idn] Re: Unicode categories Erik van der Poel
- [idn] Re: stability Simon Josefsson
- Re: [idn] Re: character tables JFC (Jefsey) Morfin
- [idn] Re: process Stephane Bortzmeyer
- Re: [idn] process Erik van der Poel
- Re: [idn] punctuation Jaap Akkerhuis
- Re: [idn] Re: character tables Gervase Markham
- Re: [idn] Re: process Jaap Akkerhuis
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] Re: process James Seng
- [idn] stringprep mailing list Erik van der Poel
- Re: [idn] Re: dichotomies Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] Re: stability Erik van der Poel
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: stability JFC (Jefsey) Morfin
- Re: [idn] Re: process Erik van der Poel
- [idn] Re: stringprep: PRI #29 Simon Josefsson
- Re: [idn] punctuation Erik van der Poel
- Re: [idn] stability Martin v. Löwis
- [idn] stringprep: PRI #29 Erik van der Poel
- Re: [idn] Re: character tables Paul Hoffman
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- [idn] Re: stability Simon Josefsson
- [idn] process Erik van der Poel
- [idn] stringprep: existing profiles and string pr… Erik van der Poel
- Re: [idn] Re: stability Erik van der Poel
- [idn] dichotomies Erik van der Poel
- Re: [idn] stability JFC (Jefsey) Morfin
- [idn] Re: character tables Cary Karp
- Re: [idn] Re: process Erik van der Poel
- [idn] Re: stringprep mailing list Simon Josefsson
- Re: [idn] Re: Unicode categories Martin v. Löwis
- Re: [idn] Re: stability JFC (Jefsey) Morfin
- Re: [idn] something a little lighter for the week… John C Klensin
- Re: [idn] something a little lighter for the week… Adam M. Costello
- Re: [idn] Re: dichotomies JFC (Jefsey) Morfin
- Re: [idn] Re: stability Erik van der Poel
- Re: [idn] Re: stability Erik van der Poel
- [idn] Re: stringprep: PRI #29 Simon Josefsson
- Re: [idn] stability Erik van der Poel
- [idn] Re: stringprep: PRI #29 Simon Josefsson