- From: Addison Phillips via GitHub <sysbot+gh@w3.org>
- Date: Thu, 16 Jan 2025 23:18:10 +0000
- To: public-i18n-archive@w3.org
aphillips has just created a new issue for https://github.com/w3c/i18n-activity:
== Security considerations statement perhaps too bold? ==
## Proposed comment
https://datatracker.ietf.org/doc/draft-bray-unichars/
> Note that the Unicode-character subsets specified in this document
include a successively-decreasing number of problematic code points,
and thus should be less and less susceptible to vulnerabilities. The
Section 4.3 subset, "Unicode Assignables", excludes all of them.
Saying that the Section 4.3 subset excludes "all of them" suggests that no exploits remain. The preceding paragraph mentions RFC8264's security considerations applies here also, and that document is somewhat thorough. Since [homographs](https://www.w3.org/TR/charmod-norm/#normalizationLimitations) cannot be eliminated, maybe this should say something slightly different? Perhaps:
> Note that the Unicode-character subsets specified in this document
successively exclude an increasing number of problematic code points,
and thus should be less and less susceptible to many of these exploits.
The Section 4.3 subset, "Unicode Assignables", excludes all of the
functionally problematic code points.
I should mention, however, that UTS#55 probably should be mentioned/considered. "Trojan Source" attacks using bidi formatting characters can affect protocol text and document formats. This is probably a gap that needs mentioning. Mentioning homographs and confusables is probably worth a couple of words?
## Instructions:
This follows the process at https://w3c.github.io/i18n-activity/guidelines/review-instructions.html
1. Create the review comment you want to propose by replacing the prompts above these instructions, but **LEAVE ALL THE INSTRUCTIONS INTACT**
2. **Add one or more t:... labels. These should use ids from specdev establish a link to that doc.**
2. Set a label to identify the spec: this starts with s: followed by the spec's short name. If you are unable to do that, ask a W3C staff contact to help.
3. Ask the i18n WG to review your comment.
4. After discussion with the i18n WG, raise an issue in the repository of the WG that owns the spec. Use the text above these instructions as the starting point for that comment, but add any suggestions that arose from the i18n WG. In the other WG's repo, add an 'i18n-needs-resolution' label to the new issue. If you think any of the participants in layout requirements task force groups would be interested in following the discussion, add also the appropriate i18n-\*lreq label(s).
5. Delete the text below that says 'url_for_the_issue_raised', then add in its place the URL for the issue you raised in the other WG's repository. Do NOT remove the initial '§ '. Do NOT use \[...](...) notation – you need to delete the placeholder, then paste the URL.
6. Remove the 'pending' label, and add a 'needs-resolution' tag to this tracker issue.
7. If you added an \*lreq label, add the label 'spec-type-issue', add the corresponding language label, and a label to indicate the relevant typographic feature(s), eg. 'i:line_breaking'. The latter represent categories related to the Language Enablement Index, and all start with i:.
8. Edit this issue to **REMOVE ALL THE INSTRUCTIONS & THE PROPOSED COMMENT**, ie. the line below that is '---' and all the text before it to the very start of the issue.
---
**This is a tracker issue.** Only discuss things here if they are i18n WG internal meta-discussions about the issue. **Contribute to the actual discussion at the following link:**
§ url_for_the_issue_raised
Please view or discuss this issue at https://github.com/w3c/i18n-activity/issues/1984 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 16 January 2025 23:18:11 UTC