Normalization thoughts

I've got a bug in my use of normalization library code to fix (icu4j 
being used by Jena).

This got me thinking about the discussion in Boston on normalization.

Where we got to was that
specs should say must do early
if not they should say must do late
if not they must document security risks

I was not quite comfortable because it seems that similar 
responsibilities lie with implementors.

So I suggest that we modify to:


specs should say apps must do early
if not they should say apps must do late and may do early
if not they must document security risks and apps may do early or late

and that

applications should do early
if not they should do late
if not they must document security risks

Note: a common way of implementing this, with a spec that permits no 
normalization, is to implement early, but have a flag which switches it 
off, and the documentation on that flag clearly indicating the security 
risks.

This would then end up with a matrix


     spec: early     late       none*

app:

early      OK       OK         OK
late:      no       OK         OK
none:      no       no         OK*

* = security risks documented

maybe this is too complicated.

When I was 17 my maths report at school was that "Jeremy is overly fond 
of algebraic drapery"

Jeremy

Received on Sunday, 3 April 2005 19:28:36 UTC