W3C home > Mailing lists > Public > public-iri@w3.org > April 2003

Re: Some issues with the IRI document [NFCsecurity-09]

From: Martin Duerst <duerst@w3.org>
Date: Wed, 16 Apr 2003 15:03:33 -0400
Message-Id: <4.2.0.58.J.20030416145928.04a60ee0@localhost>
To: Simon Josefsson <jas@extundo.com>, public-iri@w3.org

At 16:51 03/04/16 +0200, Simon Josefsson wrote:

>A tangental observation on using different normalization strategies on
>different parts of the URI:
>
>If, say, a username (iuserinfo) within a IRI is normalized into
>something different than, say, a security protocol such as SASL or
>Kerberos (which uses different normalization strategies, both with
>regards to each other and to the ones discussed here) would normalize
>the username into, there are potential security consequences.
>
>To examplify, consider if IRI adopted a nameprep style normalization
>scheme that translates ゜ into ss, and either of SASL or Kerberos did
>not but instead chosed to maintain the difference between ゜ and ss,
>encoding a username containing ゜ into an IRI for use with SASL or
>Kerberos would denote a different username.
>
>I have not studied the IRI document closely, so this may have already
>been solved in the proper way, if so I'm sorry to drag up these old
>issues again.

Hello Simon,

IRIs in general require only NFC, or even less. So it should not
be the case that IRIs use stronger normalization than e.g.
SASL or Kerberos.

As far as I understand, security problems would arise if IRIs
use stronger normalization, but not the other way around. Is
this correct?

I have assigned
http://www.w3.org/International/iri-edit#NFCsecurity-09
to this issue.


Regards,   Martin.
Received on Wednesday, 16 April 2003 15:09:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 April 2012 19:51:52 GMT