[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] stringprep comment 1



Mark Davis <mark@macchiato.com> wrote:

> When stringprep is used correctly, loose vs loose comparisons alone
> will never happen.

At the very least, we need to spell that out in the stringprep spec.  We
need to say that the ultimate purpose of the guidelines about "stored
strings" and "query strings" is to make sure that two loosely prepared
strings are never compared.  That will at least give people a better
chance of figuring out when they can safely use loose stringprep.

I also suggest adding an explicit requirement that applications must
use strict stringprep whenever there is doubt.  They may use loose
stringprep only when they know that the string will not be compared with
another loosely prepared string (for example, when they are putting
the string into a protocol slot that is used only for comparisons with
strictly prepared strings; DNS queries qualify if we add a requirement
to IDNA prohibiting DNS servers from serving loosely-prepared names).

I think that's the least we should do.  We could go even further and
always prohibit unassigned code points.  That would occasionally
inconvenience people (who would have to upgrade their software), but
would be a lot simpler and would avoid confusing people when new
characters silently fail to match.

AMC