IETF Logo Mail Archive

Re: Possible BofF question -- I18n

Nico Williams <nico@cryptonector.com> Sun, 03 June 2018 06:22 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83358126B7E for <ietf@ietfa.amsl.com>; Sat, 2 Jun 2018 23:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UBuWdepWbYyK for <ietf@ietfa.amsl.com>; Sat, 2 Jun 2018 23:22:22 -0700 (PDT)
Received: from homiemail-a128.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95ED91267BB for <ietf@ietf.org>; Sat, 2 Jun 2018 23:22:22 -0700 (PDT)
Received: from homiemail-a128.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a128.g.dreamhost.com (Postfix) with ESMTP id 336AA30030403; Sat, 2 Jun 2018 23:22:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=+pWU6gzmZm4QvF aqXnBYANV/pdM=; b=PlJWO0iLMSkfbnue8HL1GpwqJALUWOJPRyv0k1Vm/5EaIr SG3ZxZkLwVMzc7wpVl8vmcQAyJzfzC3dgpvtrBv9MXYq2j9ebTc1JsCl9z/g1FxB +4HeZogqZdCu+qKcLm698Z52hvd3w7kDxDXtRPUuCZqHSiveomRcLfeCK+fC0=
Received: from localhost (50-232-84-66-static.hfc.comcastbusiness.net [50.232.84.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a128.g.dreamhost.com (Postfix) with ESMTPSA id 8AB7730030401; Sat, 2 Jun 2018 23:22:21 -0700 (PDT)
Date: Sun, 03 Jun 2018 01:22:19 -0500
From: Nico Williams <nico@cryptonector.com>
To: John R Levine <johnl@taugh.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, IETF general list <ietf@ietf.org>
Subject: Re: Possible BofF question -- I18n
Message-ID: <20180603062218.GN14446@localhost>
References: <20180531172228.GF14446@localhost> <383c2404-7beb-63e9-b2b2-e75fd1b174f1@mozilla.com> <20180601041949.GH14446@localhost> <A13FFF23-49BD-459D-8B5B-D3448154EEBC@frobbit.se> <20180601151053.GI14446@localhost> <2584adb9-1622-8b49-7236-ecc7dd374974@mozilla.com> <alpine.OSX.2.21.1806011219340.7621@ary.qy> <CAK3OfOgv33SJiPJ6ypo8k5hcpnjcJdRso6EXb9b12YNcdDgMUg@mail.gmail.com> <6c5d5618-74a5-dcc8-d818-89243a41f307@gmail.com> <alpine.OSX.2.21.1806020948160.10640@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.OSX.2.21.1806020948160.10640@ary.qy>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/mJxkmlm2oDPGboiyN7q0kXp0nv4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Jun 2018 06:22:24 -0000

On Sat, Jun 02, 2018 at 09:56:32AM -0400, John R Levine wrote:
> On Sat, 2 Jun 2018, Brian E Carpenter wrote:
> >If a dark art is one that involves combinatorial degrees of complexity
> >mixed with human perception, judgment and emotion, then I fear that I18N
> >*is* a dark art. We can perhaps manage such complexity by limiting the
> >scope of what we try to do in our protocols, but I for one would very
> >much appreciate having an I18N directorate reviewing everything.
> 
> Thanks, that was what I was trying to get at.  It would be great if more
> people learned about I18n issues, but I worry about expertise at the level
> of security experts telling people to memorize all their passwords and
> change them every month.
> 
> "Confusables", different characters that look exactly or approximately the
> same is a good example.  I used to think that one could make sets of
> confusable characters and avoid security problems by disallowing strings
> that differed only in confusables.  Unfortunately, what is confusable is
> highly context dependent.  For example, an Arabic digit 5 looks a lot like a
> lower case letter o, so depending on who and where you are you might think
> it looks like o or 0 or you might think it looks like 5 or you might think
> it looks like both.  I didn't realize that until I talked to native Arabic
> speakers and tried to read speed limit signs in Abu Dhabi.  Don't get me
> started on composable emoji and skin tones.

Yes, confusability is in the eye of the beholder, but a first
approximation set of confusable mappings can be constructed (and has
been).  We don't need perfection, but we could apply AI techniques to
look for more confusables and get closer to perfection.  Registries
don't need us to tell them that any of this is a good idea (though we
should).

> I'm not saying it's hopeless, but we need to be careful assuming that some
> knowledge always leads to better analyses than none.  Remember all those
> passwords they force you to change every month.

It's hard to argue that more knowledge makes things worse.  Sure, it can
(e.g., by raising one's cognitive burdens), but mostly it's not the
case.  I'm not afraid of assuming that more knowledge will help.  But if
you are... then our supposed lack of I18N expertise should be a boon!

Nico
--

v2.23.0 | Report a Bug | By Email