[idn] IDN security and ACE leakage

["Soobok Lee" <lsb@postel.co.kr>]

Latin 'o' and Greek 'o'  are almost indistinguishable ,
(and I can list up hundreds of such examples.)
but their ACE labels  often look very different.
  
For security reasons, IDN-capable email programs
may display an IDN email address 
 both in its original scripts and in its ACEed form
 to encourage  instant verification  like this:
"FullName <i18n-mbox@i18n-hostname.com>" [qq--xxx@bq--yyy.com]

It's more secure but looks ugly. shorter ACE labels may help.
ACE labels are better than appended hexadecimal dump of utf8 lables
for this purpose.

Soobok Lee


----- Original Message ----- 
From: "Adam M. Costello" <amc@cs.berkeley.edu>
To: <idn@ops.ietf.org>
Sent: Sunday, July 15, 2001 6:18 AM
Subject: Re: [idn] Reality Check


> Russ Rolfe <rrolfe@windows.microsoft.com> wrote:
> 
> > ...people will use both IDN and non-IDN address until every they need
> > to communicate can...
> 
> Are you arguing that ACE is unnecessary?  If so, please explain how
> email is going to work.  What is supposed to happen when IDN-capable
> person A sends a message to IDN-capable person B, who then forwards the
> message to IDN-incapable person C, who would like to reply to A?  What
> is supposed to happen when IDN-capable people send email to mailing
> lists?  Are they supposed to use their non-IDN address if there are any
> IDN-incapable subscribers?  How will they know?
> 
> > I have read a lot of comments on this list that state that ACE is just
> > an intermediate step to help us get to a UTF-8 solution.
> 
> I don't agree with those comments.  While I can see ACE becoming less
> common over time, I wouldn't expect it to completely die out in the
> forseeable future.
> 
> AMC
>