At 12:52 PM +0200 6/6/02, Simon Josefsson wrote:
This means IDN is not guaranteed to be secure on non-Unicode systems.
There are alot of non-Unicode systems out there today...
Nothing is ever guaranteed to be secure. Even if we supplied mapping
tables, there is no guarantee that the mapping tables we supplied
would match those already in use in those systems, so there will be
the same security issues. In fact, we can be sure that some
"standardized" mapping tables would disagree with those already
implemented.
> When standards bodies for character sets define such equivalences, and
when those equivalences gain popularity, it might be appropriate for
the IDN effort to consider incorporating these new standards.
This isn't an adequate solution IMHO, when the consequences of errors
made by such standard bodies, or conflicts between different standard
bodies, or different interpretations of said standards, or changes
between different versions of those standards, or simply a complete
lack of standardisation in the area (which is the situation today),
may be exploitable for attacking systems on the Internet.
And your proposal for an adequate solution is....? Short of forcing
every current system to use a single set of standardized mapping
table (which is patently unrealistic), how could you ever avoid such
an exploit?
Further, the exploit you descirbe is identical in every application
that allows an encoding of the Unicode character set (such as UTF-8).
Are you saying that we shouldn't allow any input in UTF-8 in any
application until there is both a standard set of mapping tables and
absolute conformance to them?
--Paul Hoffman, Director
--Internet Mail Consortium