spoofing and IRIs from Larry Masinter on 2010-02-28 (public-iri@w3.org from February 2010)

From: Larry Masinter <LMM@acm.org>
Date: Sat, 27 Feb 2010 21:19:55 -0800
To: <public-iri@w3.org>
Message-ID: <001001cab835$aae803f0$00b80bd0$@org>

(resending after fixing access problem) 

 

Right now, the "Security Considerations" section of
http://tools.ietf.org/html/draft-ietf-iri-3987bis-00#section-10
contains a relatively short discussion of the issues around spoofing.

 

I'd like to replace most of that section with a summary and a pointer
to the Unicode Technical Report #36

 

http://unicode.org/reports/tr36/tr36-8.html 

 

which expands the discussion quite a bit.  I think a summary might be
the form:

 

=============draft============

There are serious difficulties with  relying on a human to verify that
a presentation of an IRI to them  (whether visually or read out loud)
is the same as another identifier or is the one intended. These
problems exist with ASCII-only URIs (bl00mberg.com vs. bloomberg.com)
but are enormously exacerbated when using  the larger character
repertoire of Unicode; these problems are elaborated in [UTR#36].
There seems to be little hope of relying on either administrative or
technical means to reduce the availability of such exploits, to the
extent that user agents SHOULD NOT relying on visual or perceptual
comparison or verification of IRIs as any means of validating or
assuring safety, correctness or appropriateness of an IRI.

 

[UTR#36] also identifies additional security considerations that are
applicable to IRIs.

 

 ======draft============

 

 

Basically, I want to push the issue of Spoofing in IRIs to another
document.

 

Thoughts?

 

Comments?

 

Larry

--

http://larry.masinter.net

Received on Sunday, 28 February 2010 05:20:33 UTC