Re: [idn] comments on IDNA-04

["Eric A. Hall" <ehall@ehsco.com>]

"Adam M. Costello" wrote:
> 
> David Hopwood <david.hopwood@zetnet.co.uk> wrote:
> 
> > An ACE label means a type 00 domain label that consists of the ACE tag
> > and an output of the ACE encoding algorithm.
> 
> Not quite.  The simplest fully-precise definition is:  An ACE label is a
> label that gets altered when ToUnicode is applied to it.

In terms of the specific context of domain names embedded in data streams,
wouldn't the simplest definition be: any label that begins with the ACE
prefix? This definition doesn't care if the label is provided in
application data or in a DNS message or anything else, but it clearly
delineates the label as an ACE encoded label and also contributes to
clearly marking the hostile case of ACE labels that only contain ASCII.

The question of hostile case came up earlier. The problem scenario is
having an app decode and display the name, but where DNS does not. This
allows for a hostile party to provide a link to www.zz--amazon.com which
decodes for display as www.amazon.com on the compliant browser, but where
DNS is sending the victim party to www.zz--amazon.com. The obvious method
for preventing this is to forbid delegations with the prefix. But not all
cases are isolated to public delegations, so all encoding/decoding systems
must reject them equally if the protection is to exist globally. As a
point of reference, my draft went so far (too far?) as to prohibit DNS
errors from being returned with these names.

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/