Re: spoofing and IRIs

Sounds a good idea.

On 2010-02 -28, at 00:12, Larry Masinter wrote:

> (bcc to www-tag@w3.org for W3C TAG ACTION-343  http://www.w3.org/2001/tag/group/track/actions/343)
>  
> Right now, the “Security Considerations” section of http://tools.ietf.org/html/draft-ietf-iri-3987bis-00#section-10  contains a relatively short discussion of the issues around spoofing.
>  
> I’d like to replace most of that section with a summary and a pointer to the Unicode Technical Report #36
>  
> http://unicode.org/reports/tr36/tr36-8.html
>  
> which expands the discussion quite a bit.  I think a summary might be the form:
>  
> =============draft============
> There are serious difficulties with  relying on a human to verify that a presentation of an IRI to them  (whether visually or read out loud) is the same as another identifier or is the one intended. These problems exist with ASCII-only URIs (bl00mberg.com vs. bloomberg.com) but are enormously exacerbated when using  the larger character repertoire of Unicode; these problems are elaborated in [UTR#36].  There seems to be little hope of relying on either administrative or technical means to reduce the availability of such exploits, to the extent that user agents SHOULD NOT relying on visual or perceptual comparison or verification of IRIs as any means of validating or assuring safety, correctness or appropriateness of an IRI.
>  
> [UTR#36] also identifies additional security considerations that are applicable to IRIs.
>  
>  ======draft============
>  
>  
> Basically, I want to push the issue of Spoofing in IRIs to another document.
>  
> Thoughts?
>  
> Comments?
>  
> Larry
> --
> http://larry.masinter.net
>  
>  

Received on Tuesday, 2 March 2010 16:39:43 UTC