- From: Larry Masinter <masinter@adobe.com>
- Date: Tue, 17 Nov 2009 10:56:04 -0800
- To: "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>
- CC: Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
- Message-ID: <8B62A039C620904E92F1233570534C9B0118DC8FAA4E@nambx04.corp.adobe.com>
These are "strawman" proposals in response to the IAB talk at the IETF meeting last week: knock down if you can. ---- 1. Punicode for host names vs. non-public-DNS resolution A number of the concerns in the about using punicode for domain names when doing IRI -> URI translation seem to have come from the fact that there are widely deployed private networks which don't use punicode at all, but rather send UTF8 directly to DNS, which the DNS protocol allows. However, I think for the use case of URI, we could take the position that URIs are really intended to be "UNIFORM" resource identifiers, whose primary use is for communication over the world-wide web, and that that use case should predominate, and that, for that reason, IRI -> URI translation MUST use punicode for host names. We should then note that private environments with additional mappings may need to deploy software that * uses the IRI form directly (i.e., don't translate IRI -> URI first) * translates punicode host names back into UTF8 for sending to locally specified host name mappings (i.e., undo the IRI->URI translation) * provide alternative registration or lookup services for punicode version of host names ----- 1. Spoofing Secondly, there are a number of concerns raised about spoofing. Of course, spoofing is an issue with just ASCII too, example.com vs example.corn being difficult to distinguish, (never mind example.C0M). The observation is that there are many ways in which names can be formed for which there is NO visible distinction between what are separate unicode encodings. The main way I think of addressing these are: 1. Visual validation of URIs and IRIs is basically *NOT EFFECTIVE* and that user agents *SHOULD NOT USE* visual validation as the primary way of preventing spoofing. Other methods for protecting against phishing *MUST* be used. I think we can point to some of the techniques that browsers currently already deploy as alternatives, without making them normative. 2. Anyone who prints an IRI on the side of a bus or a matchbook cover has the responsibility of making sure that what they print can be typed in a way that leads to an unambiguous result. Currently this advice only applies to ASCII-only URIs, and the extension to other non-ASCII URIs depends on infrastructure that is NOT currently part of, or mandated by, or appropriate for, the IRI specification. Unfortunately, the implementation advice on how to generate an unambiguously-enterable IRI depends on technology deployment which HAS NOT YET HAPPENED, and nothing we can specify in the IETF will make it happen sooner. We can give some advice that will mitigate a few of the problems, but so few that making that advice normative isn't actually helpful. ------ 1. Comparison (Related but different from spoofing) There are a number of examples in the IAB presentation of cases where comparison of ASCII-only identifiers can't readily be extended to comparison of Unicode-extended identifiers, because of the multiple representations and lack of a single canonical form (such as with ASCII where case-insensitive comparison => lower case canonical form). I think with the case of URIs and IRIs that the only comparison that should be normative is "exact string compare", and that any other comparison, normalization or other advice should be scheme specific. We could take the entire comparison section of the IRI document and separate it out into its own BCP. Anyway, these are 3 strawman proposals for how to deal with technical issues raised by the IAB talk at the technical plenary. Fire away. Larry ----- http://larry.masinter.net From: public-iri-request@w3.org [mailto:public-iri-request@w3.org] On Behalf Of Larry Masinter Sent: Tuesday, November 17, 2009 8:36 AM To: PUBLIC-IRI@W3.ORG Cc: Pete Resnick; Ted Hardie Subject: Slides from IETF Still waiting for meeting summary & minutes My slides: http://www.ietf.org/proceedings/09nov/slides/iri-0.pdf (no particularly new material) http://www.ietf.org/proceedings/09nov/slides/plenaryt-1.pdf was an IAB report on Internationalization in Names and other Identifiers I think we need to be careful to make sure we've considered the issues raised by the IAB. Personally, I thought the BOF went well and that there was clear general agreement that there was work to be done, many people agreed to participate, but that we had to update the charter in response to the discussion. Larry -- http://larry.masinter.net
Received on Tuesday, 17 November 2009 19:02:07 UTC