IETF Logo Mail Archive

Re: [Idna-update] emoji and security

John C Klensin <john-ietf@jck.com> Tue, 13 March 2018 23:01 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: idna-update@ietfa.amsl.com
Delivered-To: idna-update@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 667E012DA29 for <idna-update@ietfa.amsl.com>; Tue, 13 Mar 2018 16:01:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRWGNms5P4j0 for <idna-update@ietfa.amsl.com>; Tue, 13 Mar 2018 16:01:54 -0700 (PDT)
Received: from bsa2.jck.com (ns.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCACC12D95F for <idna-update@ietf.org>; Tue, 13 Mar 2018 16:01:45 -0700 (PDT)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1evsvQ-000JI6-1r; Tue, 13 Mar 2018 19:01:44 -0400
Date: Tue, 13 Mar 2018 19:01:37 -0400
From: John C Klensin <john-ietf@jck.com>
To: Asmus Freytag <asmusf@ix.netcom.com>, idna-update@ietf.org
Message-ID: <33C154CFBC70BA3E3300B76A@PSB>
In-Reply-To: <533bb471-da9b-64d0-76aa-a8a1251d256b@ix.netcom.com>
References: <533bb471-da9b-64d0-76aa-a8a1251d256b@ix.netcom.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/idna-update/4t6r1tLmtZC1hpGx4fWOOi76zKc>
Subject: Re: [Idna-update] emoji and security
X-BeenThere: idna-update@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Internationalized Domain Names in Applications \(IDNA\) implementation and update discussions" <idna-update.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idna-update>, <mailto:idna-update-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idna-update/>
List-Post: <mailto:idna-update@ietf.org>
List-Help: <mailto:idna-update-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idna-update>, <mailto:idna-update-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 23:01:56 -0000


--On Monday, March 12, 2018 09:48 -0700 Asmus Freytag
<asmusf@ix.netcom.com> wrote:

> All,
> 
> there's a general consensus that emoji and secure IDNs do not
> go together.
> 
> This is clearly not something that's taken for granted by
> others.

Possibly true, but your example below has nothing to do with the
issue.

> Read down a few messages in this thread on the Unicode list:

> https://www.unicode.org/mail-arch/unicode-ml/y2018-m03/0075.ht
> ml

> to find the suggestion of translating security hash codes into
> strings of emoji ostensible for easier verification:
 
> "So that makes me wonder which one would be quicker for a
> human to verify on average? Also, which one is more accurate
> for a human to verify? I have no idea. For accuracy, it seems
> like a lot of thought was put into the visual uniqueness of
> Unicode emojis. "

> Discuss.

First, whether emoji are a good idea for encoding hashes or not
has nothing to do with whether they are appropriate for domain
names.  My guess is that they are not as useful for encoding
hashes as the messages I look at seem to believe until and
unless (1) the presentation forms for the various emoji code
points are standardized sufficiently that they differ no more
from one platform to the next than conventional, not extremely
artistic, type styles do for modern letter or digit display
forms and (2) names of emoji and emoji sequences in popular use
are standardized sufficiently that text to speech programs
pronounce (or describe) them in ways that are consistent across
platforms.  Whether that hypothesis is correct or not, I would
encourage those who are interested in the question of how easily
one string of emoji can be compared to each other to find and
real Herman Chernoff's original "faces" paper about the
representation of multidimensional data.  

However, those are just my not-very-educated guesses.  As far as
IDNs and this discussion is concerned, the bottom line is that
the are Invalid for use in domain and that, IMO, those who are
anxious to see IANA's tables updated to Unicode 10 or 11 in the
relatively near future should probably understand that, with the
current level of activity and enthusiasm in the IETF for i18n
work generally and IDN work in particular, the last thing they
wand to do is to get the table update effort blocks behind a
substantive IDNA revision.

More important, I agree with Patrik that people are, once again,
confusing his three-way distinction among IETF work, ICANN
policy work, and compliance issues and my earlier,
not-quite-orthogonal, earlier distinction among protocol (DNS
and IDNA) constraints, general guidance about how policies
should be developed about registration in arbitrary zones, and
ICANN policies for the root.  If people want to make progress, I
think it would be helpful to have those distinctions more
strongly in mind... and to avoid the emoji and non-IDN uses of
code points issue entirely except as compliance issues that are
probably discussed in ICANN, legal, and regulatory contexts
rather than here.

best,
   john

v2.8.7 | Report a Bug | By Email