- From: Jeremy Carroll <jjc@hplb.hpl.hp.com>
- Date: Sun, 03 Apr 2005 20:27:39 +0100
- To: public-i18n-core@w3.org
- CC: "Deborah Cawkwell" <deborah.cawkwell@bbc.co.uk>
I've got a bug in my use of normalization library code to fix (icu4j being used by Jena). This got me thinking about the discussion in Boston on normalization. Where we got to was that specs should say must do early if not they should say must do late if not they must document security risks I was not quite comfortable because it seems that similar responsibilities lie with implementors. So I suggest that we modify to: specs should say apps must do early if not they should say apps must do late and may do early if not they must document security risks and apps may do early or late and that applications should do early if not they should do late if not they must document security risks Note: a common way of implementing this, with a spec that permits no normalization, is to implement early, but have a flag which switches it off, and the documentation on that flag clearly indicating the security risks. This would then end up with a matrix spec: early late none* app: early OK OK OK late: no OK OK none: no no OK* * = security risks documented maybe this is too complicated. When I was 17 my maths report at school was that "Jeremy is overly fond of algebraic drapery" Jeremy
Received on Sunday, 3 April 2005 19:28:36 UTC