- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sun, 28 Feb 2010 10:16:40 -0800
- To: Larry Masinter <LMM@acm.org>
- Cc: public-iri@w3.org
- Message-id: <A9A9BDF5-58F1-4262-AC6D-58E36E97A390@apple.com>
On Feb 27, 2010, at 9:19 PM, Larry Masinter wrote: > (resending after fixing access problem) > > Right now, the “Security Considerations” section of http://tools.ietf.org/html/draft-ietf-iri-3987bis-00#section-10 > contains a relatively short discussion of the issues around > spoofing. > > I’d like to replace most of that section with a summary and a > pointer to the Unicode Technical Report #36 > > http://unicode.org/reports/tr36/tr36-8.html > > which expands the discussion quite a bit. I think a summary might > be the form: > > =============draft============ > There are serious difficulties with relying on a human to verify > that a presentation of an IRI to them (whether visually or read out > loud) is the same as another identifier or is the one intended. > These problems exist with ASCII-only URIs (bl00mberg.com vs. bloomberg.com > ) but are enormously exacerbated when using the larger character > repertoire of Unicode; these problems are elaborated in [UTR#36]. > There seems to be little hope of relying on either administrative or > technical means to reduce the availability of such exploits, to the > extent that user agents SHOULD NOT relying on visual or perceptual > comparison or verification of IRIs as any means of validating or > assuring safety, correctness or appropriateness of an IRI. > > [UTR#36] also identifies additional security considerations that are > applicable to IRIs. > > ======draft============ > > > Basically, I want to push the issue of Spoofing in IRIs to another > document. > > Thoughts? > > Comments? I think there's one piece of your summary that is oddly stated: "... to the extent that user agents SHOULD NOT relying on visual or perceptual comparison or verification of IRIs as any means of validating or assuring safety". User agents don't do any visual comparisons of IRIs directly for their own purposes, they do character- by-character comparisons. The problem is with users themselves, not user agents, doing visual comparisons. Also, while UTR#36 has many specific suggestions for improving IRI security, they are not all for user agents. Some are recommendations for procedures when registering domain names. The UA recommendations do not amount to completely removing the user's reliance on visual comparison, although they may somewhat mitigate the risk of showing the user certain kinds of visually confusable URIs. I'm not sure the recommendations of UTR#36 can be summarized adequately in a short paragraph. Regards, Maciej
Received on Sunday, 28 February 2010 18:17:15 UTC