- From: Simon Josefsson <jas@extundo.com>
- Date: Wed, 16 Apr 2003 22:21:16 +0200
- To: Martin Duerst <duerst@w3.org>
- Cc: public-iri@w3.org
Martin Duerst <duerst@w3.org> writes: > IRIs in general require only NFC, or even less. So it should not > be the case that IRIs use stronger normalization than e.g. > SASL or Kerberos. > > As far as I understand, security problems would arise if IRIs > use stronger normalization, but not the other way around. Is > this correct? Note that it is possible that some security protocol, even i18n'ed using stringprep, do not use normalization. So if IRIs used NFC for iuserinfo, it appears as IRIs would use stronger normalization than the security protocol, and there might be problems. Normalization isn't required by stringprep, nor is it used by legacy systems out there that supports i18n but not Unicode nor NFC of usernames, of which there many even including SASL and Kerberos. If you want deployed examples, see RFC 2595 which defines a SASL mechanism that uses unnormalized UTF-8 for usernames. It is commonly used for IMAP, and there even exists (two) experimental approaches to using it in HTTP.
Received on Wednesday, 16 April 2003 16:21:22 UTC