[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] conflicts with ACE and STD13

To: "Eric A. Hall" <ehall@ehsco.com>, IDN <idn@ops.ietf.org>
Subject: Re: [idn] conflicts with ACE and STD13
From: Paul Hoffman / IMC <phoffman@imc.org>
Date: Fri, 9 Nov 2001 09:18:11 -0800
In-Reply-To: <3BEBCC4E.17E6216C@ehsco.com>
References: <3BEBCC4E.17E6216C@ehsco.com>

At 6:30 AM -0600 11/9/01, Eric A. Hall wrote:
>Three potential conflicts with ACE and STD13 labels:
>
>1) Easy one first. There is a potential security problem with ACE
>encodings of legacy LDH domains, in that it may be possible for a user to
>manually encode an LDH label and provide false glue by providing
>"bq--ehsco.com." which gets decoded as "ehsco.com.", particularly if a
>delegating entity doesn't prevent it. idna-02 says this is illegal for
>zones in particular, but it needs to happen anywhere that ACE is processed
>as rich data rather than LDH. We should just declare any ACE encoded LDH
>label as illegal to be rejected with extreme prejudice by any entity which
>encodes OR decodes ACE. I'm putting this in the next UDNS spec, btw.

Your timing is amazing. Your message was posted about twenty minutes 
after the announcement of the new IDNA draft. That draft solves this 
problem (which was indeed a real problem in the idna-03 document).

>2) ACE precludes certain characters from being stored, and delegates some
>of this process to idna's incoming filters. However, idna is only
>concerned with host names, and some of the excluded values can be provided
>as binary domain names (hyphen at the beginning and end of a binary domain
>name is legal, for example).

The distinction between host names and domain names is subtle and 
hotly contested in the DNS world. The IDN WG is only dealing with 
host names, for now. This demarcation between these two has not been 
very important before now, but IDN is making it important.

>  Will such strings blow up ACE?

No. But that is not what is important here. What is important is the 
question of what are host names (and therefore must conform to IDNA) 
and what are not (and therefore are just unstructured octet strings).

>3) Similar problem exists with domain names that contain eight-bit
>characters outside LDH. This is a complex problem, so read all the way
>through before you start composing a response. :)

Did so. Agree that similar problems exist in all host/domain names 
that are not LDH. The problem here is identical to the problem 2

>This problem MUST be resolved, as it represents a fundamental conflict
>between ACE and the binary label syntax whenever queries are processed
>using their canonical UCS character code, and where multiple output
>encodings are possible or required.

The difference between host labels which are covered by IDNA and 
domain labels which are not must be well-defined before IDNA is 
finished. The -04 draft takes a step towards that, but it is not 
complete. Suggestions for specific wording for the draft on this 
topic are *greatly* appreciated.

--Paul Hoffman, Director
--Internet Mail Consortium

Follow-Ups:
- Re: [idn] conflicts with ACE and STD13
  - From: "Eric A. Hall" <ehall@ehsco.com>

References:
- [idn] conflicts with ACE and STD13
  - From: "Eric A. Hall" <ehall@ehsco.com>

Prev by Date: Re: [idn] summary of reordering discussion
Next by Date: Re: [idn] conflicts with ACE and STD13
Prev by thread: [idn] conflicts with ACE and STD13
Next by thread: Re: [idn] conflicts with ACE and STD13
Index(es):
- Date
- Thread