[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] impacted systems investigation

To: tale@nominum.com (David C Lawrence), idn@ops.ietf.org
Subject: Re: [idn] impacted systems investigation
From: "Allen Smith" <easmith@beatrice.rutgers.edu>
Date: Thu, 22 Mar 2001 23:07:41 -0500
Delivery-date: Thu, 22 Mar 2001 20:09:58 -0800
Envelope-to: idn-data@psg.com

On Mar 12,  7:06am, David C Lawrence wrote:
> Mark Andrews said:
> > UTF8 does not require a server upgrade
> 
> D. J. Bernstein answered:
> > Right. But Patrik and Paul claim the opposite. This claim is, in fact,
> > the centerpiece of the IDNA ``design philosophy.''
> 
> Not so.  We all know the servers can handle 8 bit domain names.

Incorrect, at least if they are using domain names for, for instance,
filename construction - which is currently the case for BIND 9 in
DNSSEC, for instance. I have submitted a patch to bind9-bugs@isc.org
to help solve this problem.

> What the servers can't tell, however, is whether some 8 bit string is UTF-8
> or some local encoding, and that presents a security problem.  To use
> UTF-8 at the server, the protocol would need to be updated so that a
> client could affirmatively declare, "I'm IDN-aware, and thus my
> request is using UTF-8, not some other local encoding."

Agreed. Unless a client affirmatively declares this, returning names
outside of RFC1123 standards should not be done, for many security
reasons.

	-Allen

-- 
Allen Smith				easmith@beatrice.rutgers.edu

Prev by Date: [idn] Fw: idn list - something broke
Next by Date: Re: [idn] impacted systems investigation
Prev by thread: Re: [idn] impacted systems investigation
Next by thread: Re: [idn] impacted systems investigation
Index(es):
- Date
- Thread