- From: Martin Duerst <duerst@w3.org>
- Date: Wed, 16 Apr 2003 15:03:33 -0400
- To: Simon Josefsson <jas@extundo.com>, public-iri@w3.org
At 16:51 03/04/16 +0200, Simon Josefsson wrote: >A tangental observation on using different normalization strategies on >different parts of the URI: > >If, say, a username (iuserinfo) within a IRI is normalized into >something different than, say, a security protocol such as SASL or >Kerberos (which uses different normalization strategies, both with >regards to each other and to the ones discussed here) would normalize >the username into, there are potential security consequences. > >To examplify, consider if IRI adopted a nameprep style normalization >scheme that translates ゜ into ss, and either of SASL or Kerberos did >not but instead chosed to maintain the difference between ゜ and ss, >encoding a username containing ゜ into an IRI for use with SASL or >Kerberos would denote a different username. > >I have not studied the IRI document closely, so this may have already >been solved in the proper way, if so I'm sorry to drag up these old >issues again. Hello Simon, IRIs in general require only NFC, or even less. So it should not be the case that IRIs use stronger normalization than e.g. SASL or Kerberos. As far as I understand, security problems would arise if IRIs use stronger normalization, but not the other way around. Is this correct? I have assigned http://www.w3.org/International/iri-edit#NFCsecurity-09 to this issue. Regards, Martin.
Received on Wednesday, 16 April 2003 15:09:16 UTC