[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [idn] IDN security and ACE leakage
some corrections.
AMC-ACE-Z uses "base36" encoding which includes '0' '1' 'l' 'o'.
It is the DUDE and AMC-ACE-W that avoid using the four.
----- Original Message -----
From: "Soobok Lee" <lsb@postel.co.kr>
To: <idn@ops.ietf.org>; "Martin Duerst" <duerst@w3.org>
Sent: Sunday, July 15, 2001 1:11 PM
Subject: Re: [idn] IDN security and ACE leakage
> DUDE and AMC-ACE-Z (not RACE,ACE37) already avoid
> using '0', 'o', '1', 'l' in its base 32 encoding
> for security reasons. It is a nice feature.
>
> ----- Original Message -----
> From: "Martin Duerst" <duerst@w3.org>
> To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
> Sent: Sunday, July 15, 2001 12:54 PM
> Subject: Re: [idn] IDN security and ACE leakage
>
>
> > 'l' and '1' and 'I' ('ell' and 'one' and 'upper-case i') are
> > almost indistinguishable. For security reasons, DNS-capable email
> > programs (i.e. every email program) may display an email
> > address using hexadecimal (ACE won't work).
> >
> > How many programs actually do this?
> >
> > Regards, Martin.
> >
> > At 12:16 01/07/15 +0900, Soobok Lee wrote:
> > >Latin 'o' and Greek 'o' are almost indistinguishable ,
> > >(and I can list up hundreds of such examples.)
> > >but their ACE labels often look very different.
> > >
> > >For security reasons, IDN-capable email programs
> > >may display an IDN email address
> > > both in its original scripts and in its ACEed form
> > > to encourage instant verification like this:
> > >"FullName <i18n-mbox@i18n-hostname.com>" [qq--xxx@bq--yyy.com]
> > >
> > >It's more secure but looks ugly. shorter ACE labels may help.
> > >ACE labels are better than appended hexadecimal dump of utf8 lables
> > >for this purpose.
> > >
> > >Soobok Lee
> >
>