Comments on UTF #36

Hi all,

With this mail I sent some personal comments to "UTR #36 Unicode 
Security Considerations".

Best regards, Felix.

*1 I'm wondering what the role of upper level protocols / specific 
formats is, since you often speak in general of "software interfaces". 
The security issues might be different e.g. for the XML Schema data type 
any:URI, or the http protocol, since they have a different level of 
adoption of IRI. The IRI-specification (RFC3987, sec. 6.3) gives some 
examples of such differences.

*2 In addition to the last comment: a section might be useful which 
summarizes the necessary security efforts for different areas, e.g. user 
agens / protocol developers.

*3 Sec. 2.8: "It is unlikely, for example, that  ㋕ would be typed by a 
Japanese user, nor that it need work in copied text." I don't see an 
explanation of ㋕ in the text. Maybe you want to point to the half-width 
Japanese  katakana character カ, which you mentioned in the text above?

*4 You should describe the role of normalization in the non-domain part 
of URL, as you already mention at the end of sec. 2.10.3. Probably you 
will rely on the IRI specification for that. The mapping of IRI to URI 
(sec. 3.1 of that spec)  requires that IRI with characters which are 
already in a Unicode-based character encoding, are not normalized. This 
might lead to ambiguity. An example for this is given by [2], focusing 
on CSS. Again this is an issues which depends on a specific format / 
protocol.

[1] http://www.unicode.org/reports/tr36/draft/
[2] http://lists.w3.org/Archives/Public/www-style/2005Mar/0102

Received on Wednesday, 25 May 2005 03:22:32 UTC