NF* (Re: PKCS#11 URI slot attributes & last call)

Nico Williams <> Wed, 31 December 2014 07:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DD9921A6EEF; Tue, 30 Dec 2014 23:46:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.334
X-Spam-Level: *
X-Spam-Status: No, score=1.334 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YyiZa0TrjgCa; Tue, 30 Dec 2014 23:46:47 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id F26F21A01C6; Tue, 30 Dec 2014 23:46:46 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id B1DFE768059; Tue, 30 Dec 2014 23:46:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s=; bh=wjRwwh+sNwNhSJ5Roxm/S1YIoDo=; b=SDOgEjQaFV/ gBNkwj6PUWJY0gW6JsJLUL9ZoNuTXjj8WjJQdNxL/fK8COfIBJkpIJup2P11s67k Zca6tDDQ9X7ix5cYbtXKbVgY/bLtDSr+BaVCEdQD+u+FOVIf5enGIWZ8KE/l9uvy i5Pj9K5IbzrI9ptrIq/QN7kDO3lAve4E=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id 407B8768057; Tue, 30 Dec 2014 23:46:46 -0800 (PST)
Date: Wed, 31 Dec 2014 01:46:45 -0600
From: Nico Williams <>
To: Patrik =?iso-8859-1?B?RuRsdHN0cvZt?= <>
Subject: NF* (Re: PKCS#11 URI slot attributes & last call)
Message-ID: <20141231074641.GM24442@localhost>
References: <20141217230150.GB9443@localhost> <alpine.GSO.2.00.1412171513520.4549@keflavik> <> <alpine.GSO.2.00.1412292234010.1509@keflavik> <> <alpine.GSO.2.00.1412300946340.4549@keflavik> <> <> <20141231070328.GK24442@localhost> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Cc: Darren J Moffat <>, "" <>, Jan Pechanec <>, "" <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Dec 2014 07:46:48 -0000

On Wed, Dec 31, 2014 at 08:33:28AM +0100, Patrik Fältström wrote:
> Ok, so what you say is that the side that is to calculate whether
> there is a match or not can do whatever normalization they want on the
> string(s)? Or do you say that whoever is doing a match is to not do
> normalization at all as the application (on client side) can and
> should define what normalization (in a broader sense, not only Unicode
> Normalization) must be possible to define?

I'm saying something subtly different:

When you don't have the luxury of every string you might chance upon
being required to be normalized to the one true form, then you have
three choices:

 - give up

 - go fix whatever needs to be fixed so that you do have that luxury

   Here that would be: PKCS#11 itself, token vendors, and so on.

   I.e., not quite boiling the oceans but maybe a Great lake.

 - try your best

Normalization-insensitive comparison falls into the third bucket.

> In IDNA2008, as you know, we did choose the latter, but recommend
> applications to define what normalization to do, and that NFC is the
> Unicode Normalization to use.

For another example, in the world of filesystems we have:

 - most of the world just-uses-8 (UTF-8, ISO-8859-*, whatever, and when
   UTF-8, form is accidental)

 - some of the world insists on UTF-8 (though it's hard for a filesystem
   to enforce this: all it sees is octet strings)

    - some of the world normalizes to NFD (close enough) on create and
      lookup (e.g., HFS+)

    - some of the world is normalization-preserving-but-form-insensitive

The NFD case is obnoxious because even on those systems the input system
tends to produce NFC...  But anyways.  When you have no canonical form
for whatever reason, you can try form-insensitive matching.

Obviously there's aliasing to consider (but there is anyways), and so
on.  But none of this is terribly interesting here except for the "best
effort matching" idea, since that's probably the user-friendly and
not-too-dangerous thing to do here.