Re: i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call))

Nico Williams <nico@cryptonector.com> Fri, 02 January 2015 03:01 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4F321A870A; Thu, 1 Jan 2015 19:01:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtO7fqGJTx2h; Thu, 1 Jan 2015 19:01:37 -0800 (PST)
Received: from homiemail-a55.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 033B81A8709; Thu, 1 Jan 2015 19:01:37 -0800 (PST)
Received: from homiemail-a55.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a55.g.dreamhost.com (Postfix) with ESMTP id A04D11634; Thu, 1 Jan 2015 19:01:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=3Wckt4BGJPK8CH SbMTlK930Xeng=; b=IPs2I7DG9nYFr2i1vbfL9Ndh9t9hTkgiXHP3zHk8yT3H7U RWMs8M5wqbpH8dE4I1fHfZrunFGNTFrWIIXGrqMu/MdBU0e561SoqibP+weaMa9T M9mq8+Qxlq2MH2s6Dpn63S5ivstexMFK4gnIAQuEXpSCnzlvFonZoAu40lDw8=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a55.g.dreamhost.com (Postfix) with ESMTPA id 1852F161A; Thu, 1 Jan 2015 19:01:36 -0800 (PST)
Date: Thu, 1 Jan 2015 21:01:35 -0600
From: Nico Williams <nico@cryptonector.com>
To: John C Klensin <john-ietf@jck.com>
Subject: Re: i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call))
Message-ID: <20150102030130.GN24442@localhost>
References: <CAK3OfOgm_ZYj-rY+4ExZzY8KY4G3rz2KLrZ8hQJi7ZUR4yiP0Q@mail.gmail.com> <alpine.GSO.2.00.1412300946340.4549@keflavik> <CAK3OfOha9qu=uDtqwDTdV78waLMaorYq0T6cq1YX3VzQn2OpKA@mail.gmail.com> <A4CC6CEC-D17E-4235-B615-9D2AD88096D4@frobbit.se> <20141231070328.GK24442@localhost> <B08B813F-B8B4-49F1-A0B9-60F322C8E9C7@frobbit.se> <20141231074641.GM24442@localhost> <947CA101-D717-4B56-8EEE-84B3A53BF4A1@frobbit.se> <20141231082551.GN24442@localhost> <E4837FDB76D5ACDEB1C568DF@[192.168.1.128]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E4837FDB76D5ACDEB1C568DF@[192.168.1.128]>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/9RpnGRkV9RLsgWL4F-gYhHUSEEo
Cc: Darren J Moffat <Darren.Moffat@oracle.com>, ietf@ietf.org, saag@ietf.org, Jan Pechanec <jan.pechanec@oracle.com>, Patrik =?iso-8859-1?B?RuRsdHN0cvZt?= <paf@frobbit.se>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jan 2015 03:01:38 -0000

On Wed, Dec 31, 2014 at 10:41:28AM -0500, John C Klensin wrote:
> [...]

In the case of PKCS#11 there's not a lot in the way of security
considerations regarding normalization: all the "devices" in question
are trusted, and the user is supposed to be in physical possession of
them.  As usual, we assume local security.  Therefore there's no
question of an attacker trying to fool a user into entering their PINs
into fake tokens.

This makes the security considerations regarding normalization simpler
in this case.

I think we could use some text like this:

   PKCS#11 does not specify a canonical from for UTF-8 string slots in
   the API.  This presents the usual false negative and false positive
   (aliasing) concerns that arise when dealing with unnormalized
   strings.  Because all PKCS#11 items are local and local security is
   assumed, these concerns are mainly about usability.

   In order to improve the user experience, applications that create
   PKCS#11 objects or otherwise label tokens, SHOULD normalize labels to
   NFC.  For the same reason PKCS#11 libraries, slots (token readers),
   and tokens SHOULD normalize their names to NFC.  When listing
   libraries, slots, tokens, or objects, an application SHOULD normalize
   their names to NFC.  When matching PKCS#11 URIs to libraries, slots,
   tokens, and/or objects, applications may use form-insensitive Unicode
   string comparison for matching, as the objects might pre-date these
   recommendations).

Then later in the security considerations section, add something like:

   PKCS#11 does not authenticate devices to users; PKCS#11 only
   authenticates users to tokens.  Instead, local and physical security
   are demanded: the user must be in possession of their tokens, and
   system into whose slots the users' tokens are inserted must be
   secure.  As a result, the usual security considerations regarding
   normalization do not arise.  For the same reason, confusable script
   issues also do not arise.  Nonetheless, it is best to normalize to
   NFC all strings appearing in PKCS#11 API elements.

Nico
--