- From: Jeremy Carroll <jjc@hplb.hpl.hp.com>
- Date: Sun, 03 Apr 2005 20:27:39 +0100
- To: public-i18n-core@w3.org
- CC: "Deborah Cawkwell" <deborah.cawkwell@bbc.co.uk>
I've got a bug in my use of normalization library code to fix (icu4j
being used by Jena).
This got me thinking about the discussion in Boston on normalization.
Where we got to was that
specs should say must do early
if not they should say must do late
if not they must document security risks
I was not quite comfortable because it seems that similar
responsibilities lie with implementors.
So I suggest that we modify to:
specs should say apps must do early
if not they should say apps must do late and may do early
if not they must document security risks and apps may do early or late
and that
applications should do early
if not they should do late
if not they must document security risks
Note: a common way of implementing this, with a spec that permits no
normalization, is to implement early, but have a flag which switches it
off, and the documentation on that flag clearly indicating the security
risks.
This would then end up with a matrix
spec: early late none*
app:
early OK OK OK
late: no OK OK
none: no no OK*
* = security risks documented
maybe this is too complicated.
When I was 17 my maths report at school was that "Jeremy is overly fond
of algebraic drapery"
Jeremy
Received on Sunday, 3 April 2005 19:28:36 UTC