Re: [saag] i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call))

John C Klensin <> Tue, 13 January 2015 03:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D58001A8A01; Mon, 12 Jan 2015 19:41:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id idBl119rjwEr; Mon, 12 Jan 2015 19:41:18 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 662281A8872; Mon, 12 Jan 2015 19:41:18 -0800 (PST)
Received: from [] ( by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1YAsLq-0009xY-BE; Mon, 12 Jan 2015 22:41:06 -0500
Date: Mon, 12 Jan 2015 22:41:01 -0500
From: John C Klensin <>
To: Nico Williams <>, Pete Resnick <>
Subject: Re: [saag] i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call))
Message-ID: <>
In-Reply-To: <20150113000854.GW16323@localhost>
References: <> <2A0EFB9C05D0164E98F19BB0AF3708C71D55675E67@USMBX1.msg.corp.akama> <20150112045411.GD16323@localhost> <> <20150113000854.GW16323@localhost>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
Cc: "Salz, Rich" <>,,, Jan Pechanec <>, Peter Gutmann <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Jan 2015 03:41:21 -0000

--On Monday, January 12, 2015 18:08 -0600 Nico Williams
<> wrote:

>> Given that this particular member of the IESG has
>> (successfully) argued vehemently for ASCII-only on multiple
>> occasions in the recent past, I would say that your worries
>> on that score are overdone. :-)
> Well alright.  I'd love to see a set of guidelines for I18N
> activities.

So would we all.  RFC 2277 was supposed to provide some guidance
but is now badly obsolete in many different ways, including
exhibiting how little we knew about some things at the time.  We
have, I hope, learned a lot, but see below.

> When should we try to support Unicode, and when should we not?
> Is it one of those "I know it when I see it" kinds of
> guidelines?  That wouldn't be useful enough :(

Let me suggest a general way of thinking about things -- maybe
not quite a "guideline".  Especially for security-type
protocols, make sure there is a substantive reason, presumably
connected to users and user experience, for it to be necessary
to go beyond ASCII.  I really do mean "necessary": if it is just
a good idea in principle or a maybe-nice-to-have or "maybe
someone will want this some day", skip it because adding i18n
capabilities _will_ make correct and predictable implementations
more difficult and _will_ increase the number and range of
attack opportunities.   

> Mind you, IIRC PKCS#11 didn't even say anything about ASCII
> before. Token labels and such used to be fixed-sized octet
> strings containing character data.  Jan can correct me if I'm
> wrong.  I'm not sure even saying "ASCII-only" would
> necessarily be safe in that case...

And that reinforces my view that the real, underlying, problem
here has to be fixed in PKCS#11, not in anything the IETF puts
on top of it.  Only they can fix the problems; we can, at best,
mitigate the damage.

> Fortunately the OASIS PKCS11 TC has clarified that these are
> UTF-8; unfortunately they left other I18N details out.

It appears to me that what they have said puts their level of
understanding of the various issues somewhat behind where we
were when RFC 2277 was written in 1997.