Re: spoofing and IRIs

I like the summary in general, but I have a question about what
perceptual would mean here.  Is it intended
to deal with the case where the string is read aloud?

regards,

Ted

On Tue, Mar 2, 2010 at 8:39 AM, Larry Masinter <LMM@acm.org> wrote:
> (bcc to www-tag@w3.org for W3C TAG ACTION-343
>  http://www.w3.org/2001/tag/group/track/actions/343)
>
>
>
> Right now, the “Security Considerations” section of
> http://tools.ietf.org/html/draft-ietf-iri-3987bis-00#section-10  contains a
> relatively short discussion of the issues around spoofing.
>
>
>
> I’d like to replace most of that section with a summary and a pointer to the
> Unicode Technical Report #36
>
>
>
> http://unicode.org/reports/tr36/tr36-8.html
>
>
>
> which expands the discussion quite a bit.  I think a summary might be the
> form:
>
>
>
> =============draft============
>
> There are serious difficulties with  relying on a human to verify that a
> presentation of an IRI to them  (whether visually or read out loud) is the
> same as another identifier or is the one intended. These problems exist with
> ASCII-only URIs (bl00mberg.com vs. bloomberg.com) but are enormously
> exacerbated when using  the larger character repertoire of Unicode; these
> problems are elaborated in [UTR#36].  There seems to be little hope of
> relying on either administrative or technical means to reduce the
> availability of such exploits, to the extent that user agents SHOULD NOT
> relying on visual or perceptual comparison or verification of IRIs as any
> means of validating or assuring safety, correctness or appropriateness of an
> IRI.
>
>
>
> [UTR#36] also identifies additional security considerations that are
> applicable to IRIs.
>
>
>
>  ======draft============
>
>
>
>
>
> Basically, I want to push the issue of Spoofing in IRIs to another document.
>
>
>
> Thoughts?
>
>
>
> Comments?
>
>
>
> Larry
>
> --
>
> http://larry.masinter.net
>
>
>
>

Received on Tuesday, 2 March 2010 17:40:46 UTC