[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] IDN security and ACE leakage

To: Martin Duerst <duerst@w3.org>, Soobok Lee <lsb@postel.co.kr>, idn@ops.ietf.org
Subject: Re: [idn] IDN security and ACE leakage
From: Patrik Fältström <paf@cisco.com>
Date: Mon, 16 Jul 2001 18:41:23 +0200

--On 01-07-16 14.36 +0900 Martin Duerst <duerst@w3.org> wrote:

> Ideally, every person should at least have one purely
> ASCII-only email address, and every machine should have
> at least one purely ASCII-only domain name, not consisting
> of characters that look like they come from a random generator.

I don't agree.

If people said this about some arabic script to me, I would not be able to
know the difference between a random generated string in arabic compared to
something which makes sense to people which know arabic (something I don't
do).

I much rather be able to use my name, which I have chosen, in my script, in
applications I have chosen, and then some magic which is implemented in the
network which makes it possible for others to reply to my email.

If I have upgraded my software to be able to handle whatever IDN is coming
up with, I should never have to see the encoded characters which are passed
in the protocols -- regardless of if it is UTF-8 or ACE or whatever.

As a user I don't care.

I want it to work. And to make it to work for users, we engineers have to
be extremely conservative, and as you have understood by now, I don't care
if some of you think I am stupid asking for something as stupid as ACE when
UTF-8 is better. I am conservative, belive nameprep is by far more
important than what encoding we use, and IF we should do something smart,
we should use neither UTF-8 nor ACE in DNS, but instead something much more
efficient given the binary labels we already have in the DNS protocol.

But, as applications take the uncompressed data in the DNS protocol and
"just" use it here and there, we need to see that that data is safe in
whatever (stupid) application there is. If I have upgraded my applications,
I am done. I will never see this encoding stuff anymore. Just like with
quoted-printable in MIME. Do you see QP somewhere? Maybe in headers of
email? Maybe even this email? Then you have broken software, but is that my
fault? Maybe because I did choose to use a charset you can not support, and
that is a valid issue, but if you DO handle the charset, or if you don't,
how do your client handle that situation? _Those_ situations are what we
should talk about and not this smalltalk about "my software is better than
yours".

   paf

Prev by Date: Re: [idn] Why follow IDNA with UTF-8?
Next by Date: [idn] Re: UTF-8 as the long-term IDN solution
Prev by thread: Re: [idn] IDN security and ACE leakage
Next by thread: Re: [idn] IDN security and ACE leakage
Index(es):
- Date
- Thread