- From: Larry Masinter <LMM@acm.org>
- Date: Tue, 2 Mar 2010 10:32:59 -0800
- To: "'Ted Hardie'" <ted.ietf@gmail.com>
- Cc: <public-iri@w3.org>, <markdavis@google.com>, <michel@suignard.com>
I was trying to generalize it to cover cases audio presentation as well as visual. One amendment is to change: " user agents SHOULD NOT relying on visual or perceptual comparison" to "user agents SHOULD NOT rely on users doing visual or perceptual comparison". It seems like some modern browsers also have some "site identity" logic which notes whether the site has identity information that can be validated, whether you've visited it before, whether there are cookies, etc. Current trends seem to me to be that more and more web users are relying on search rather than remembering URLs to find the "authentic" sites, and the role of URLs in the past are looking more and more like CNRP: type a term or phrase into the address bar, and you get the "I'm feeling lucky" result of the search engine you've chosen. This trend might increase for mobile devices, e.g., http://en.wikipedia.org/wiki/Google_Voice_Search Larry -----Original Message----- From: Ted Hardie [mailto:ted.ietf@gmail.com] Sent: Tuesday, March 02, 2010 9:40 AM To: Larry Masinter Cc: public-iri@w3.org; markdavis@google.com; michel@suignard.com Subject: Re: spoofing and IRIs I like the summary in general, but I have a question about what perceptual would mean here. Is it intended to deal with the case where the string is read aloud? regards, Ted On Tue, Mar 2, 2010 at 8:39 AM, Larry Masinter <LMM@acm.org> wrote: > (bcc to www-tag@w3.org for W3C TAG ACTION-343 > http://www.w3.org/2001/tag/group/track/actions/343) > > > > Right now, the “Security Considerations” section of > http://tools.ietf.org/html/draft-ietf-iri-3987bis-00#section-10 contains a > relatively short discussion of the issues around spoofing. > > > > I’d like to replace most of that section with a summary and a pointer to the > Unicode Technical Report #36 > > > > http://unicode.org/reports/tr36/tr36-8.html > > > > which expands the discussion quite a bit. I think a summary might be the > form: > > > > =============draft============ > > There are serious difficulties with relying on a human to verify that a > presentation of an IRI to them (whether visually or read out loud) is the > same as another identifier or is the one intended. These problems exist with > ASCII-only URIs (bl00mberg.com vs. bloomberg.com) but are enormously > exacerbated when using the larger character repertoire of Unicode; these > problems are elaborated in [UTR#36]. There seems to be little hope of > relying on either administrative or technical means to reduce the > availability of such exploits, to the extent that user agents SHOULD NOT > relying on visual or perceptual comparison or verification of IRIs as any > means of validating or assuring safety, correctness or appropriateness of an > IRI. > > > > [UTR#36] also identifies additional security considerations that are > applicable to IRIs. > > > > ======draft============ > > > > > > Basically, I want to push the issue of Spoofing in IRIs to another document. > > > > Thoughts? > > > > Comments? > > > > Larry > > -- > > http://larry.masinter.net > > > >
Received on Tuesday, 2 March 2010 18:33:38 UTC