Re: i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call))

John C Klensin <> Thu, 08 January 2015 18:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A3C401A00E4; Thu, 8 Jan 2015 10:01:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.61
X-Spam-Status: No, score=-4.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UpKqE8w1aJdg; Thu, 8 Jan 2015 10:01:44 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9BEBB1A8AE2; Thu, 8 Jan 2015 10:01:42 -0800 (PST)
Received: from [] ( by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1Y9HOg-000HkZ-Uq; Thu, 08 Jan 2015 13:01:26 -0500
Date: Thu, 08 Jan 2015 13:01:17 -0500
From: John C Klensin <>
To: Jan Pechanec <>
Subject: Re: i18n requirements (was: Re: NF* (Re: PKCS#11 URI slot attributes & last call))
Message-ID: <>
In-Reply-To: <alpine.GSO.2.00.1501071105250.8929@keflavik>
References: <> <alpine.GSO.2.00.1412300946340.4549@keflavik> <> <> <20141231070328.GK24442@localhost> <> <20141231074641.GM24442@localhost> <> <20141231082551.GN24442@localhost> <E4837FDB76D5ACDEB1C568DF@[]> <20150102030130.GN24442@localhost> <alpine.GSO.2.00.1501032124490.6923@keflavik> <alpine.GSO.2.00.1501071105250.8929@keflavik>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
X-Mailman-Approved-At: Fri, 09 Jan 2015 08:41:14 -0800
Cc: Darren J Moffat <>, Stef Walter <>, Jaroslav Imrich <>,, =?UTF-8?Q?Patrik_F=C3=A4ltstr=C3=B6m?= <>, Shawn Emery <>,, Christian Huitema <>, Nikos Mavrogiannopoulos <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Jan 2015 18:01:46 -0000

--On Wednesday, January 07, 2015 11:16 -0800 Jan Pechanec
<> wrote:

> On Sat, 3 Jan 2015, Jan Pechanec wrote:
> 	hi, I haven't received any other comments on the draft 
> recently (I know the LC already ended on Dec 29 though) so I
> think I  can file changes discussed and drafted in this thread
> as draft 18 on  Friday.  Thank you all for feedback, I really
> appreciate it.
> 	one more change for the draft 18 (v2 attached) is to spell 
> "NFC" and reference the Unicode Annex on normalization based
> on  comments from Jaroslav and Christian.


I don't have a lot of time to spend on this and am not an expert
on either X.509 or PKCK (#11 or otherwise).  At least the first
may be unfortunate, but it is what it is.

While I think the changes you have made are definitely
improvements, this i18n stuff is complicated.  As with Security,
there is a completely inadequate supply of magic pixie dust that
can be thrown at problems to make them go away.  "Normalize to
NFC" (with spelling-out and references) is a vast improvement or
"use [valid] UTF-8" but there are many other issues.  You have
noted some and omitted others.  For example, case-independent
matching is a very simple and completely deterministic issue for
ASCII (one essentially just masks off one bit within a certain
range), it can get very messy if one tries to be sensitive to
different locales that have different conventions about what to
do with diacritical marks when lower-case characters are
converted to upper case.  There are Unicode "CaseFold" rules
that are at least self-consistent but which contain wjat amount
to exceptions for some language contexts (e.g., for dotless "i")
but they are wildly unpopular in some places.

We used to joke that, every time we tried to carefully examine a
new script and set of languages for IDN-related purposes, it was
like turning over rocks with vipers hiding under them.  Each new
script or language context turned up a different set of
difficult issues -- the only surprise what what sort of
creatures crawled out, not whether there would be creatures
there.  The joke has gone out of fashion, but the realities that
inspired it survive.

Part of this is an inherent problem with trying to create a
universal character set -- languages and writing systems are
diverse enough that any "one size fits all" model or set of
decision rules is guaranteed to be deeply problematic and
upsetting for some people (and legitimately so) while developing
too many script-specific (or language-specific) rules or
exceptions is almost certain to upset those who feel a need for
simpler approaches that can be incorporated into generic
software.  For your reading pleasure,
draft-klensin-idna-5892upd-unicode70 discusses one set of cases
in which application of different rules and criteria led to a
conclusion that may be just right for some communities but that
is definitely problematic for others.

I don't know how far in explaining this your document should go.
I would urge, as I think I did before, some fairly strong
warnings that, at least until the issues are clarified in
PKCS#11 itself, one should be very certain one knows what one is
doing (and what the consequences of one's choices will be) if
one decides to move beyond the safety and general understanding
of the ASCII/ ISO 646/ IA5 letter and digit repertoire.  That
sort of warning should supplement your NFC language, not replace
it-- neither is a substitute for the other.   Whether you
incorporate it or not, your I-D should not assume that, by
saying "NFC", you have somehow resolved the full range of issues
in this area, any more than saying "UTF-8" did. 

For more information, you might have a look at some of the
PRECIS work, notably draft-ietf-precis-framework.

I also remain convinced that the best place to fix this is in
the PKCS#11 spec itself.  One is always at a disadvantage when
trying to work around an inadequate specification in a different
specification that has to depend on it and your work is no
exception.  I wish there were whatever liaison arrangements
between the IETF and others (presumably notably RSA) to be sure
that happened or at least there was clear awareness on the PKCS
side of the deficiencies.

Happy New Year,