- From: Frank Yung-Fong Tang <ytang0648@aol.com>
- Date: Mon, 14 Feb 2005 16:13:20 -0500
- To: "Douglas Davidson" <ddavidso@apple.com>
- cc: www-international@w3.org, "Unicode Mailing List" <unicode@unicode.org>
Douglas Davidson wrote on 2/14/2005, 1:32 PM: > > On 2005-02-14 09:52:17 -0800 Frank Yung-Fong Tang <ytang0648@aol.com> > wrote: > > Frank, > > Perhaps we can take inspiration from something that we already have in > mail. For example, when I see your address above, it looks like > "Frank Yung-Fong Tang <ytang0648@aol.com>". In this the first part is > clearly intended to be the human-readable portion, and it would be > reasonable for you to put arbitrary Unicode in it--Chinese characters, > for example. The second part is just as clearly intended to be the > authoritative machine-readable address. Well... not exactly, people are working I18N email address too. We do have people want to see their email address looks like 譚永鋒@美國上線.公司 The "美國上線.公司" part is depend on IDN but there are people (at lease once upon a time) working to make the part before @ accept Unicode. So ... if that happen. people may use yt + cyrillic a + ng0648@aol.com to fake email from me. Of course, since SMTP was not secure, this does not mean anything anyway. But for some other protocol, like IM id, we need to be more careful. Also, as today what will happen if you got an email from FrankTang@paypal.com ? and the l is in cyrillic l ? Won't you think that is from Frank Tang who have a paypal.com account? > > In IDN we have something similar, with important differences. There > is a human-readable version of the domain name, and there is an > encoded ASCII version. The most significant difference here is that > there is a standard round-trip conversion between the two. However, > this standard is showing certain failings, not in the round-trip > conversion between ASCII encoding and Unicode, but rather in the other > portion of the loop--from Unicode to glyphs on the screen to human > readability and back to typing in. These failings suggest that we > should not place quite so much reliance on this conversion standard. My opinion is the flaw is neither in the round trip conversion nor the visual representation of the characters, but the design of our UI. It is ok to make them round trip convert. It is ok to make them display look the same. IT is NOT ok to make two different thing display in the SAME place. There are no thing wrong if we display the IDN human readable format in the status bar or a floating tooltip. There are no problem if we accept user to type in the humanerable format and replace it with ASCII encoded format w/ what they typed in floating tooltip. I think the core issue of this security issue is in the UI. It is really a presentation issue. I don't think that is needed to put into the IDN. But I do think it will be nice if IDN task force can recommend a standard presentation when those IDN put inside a URL > > Perhaps we can develop a presentation form for IDN that would include > both the human-readable Unicode and also the authoritative > ASCII-encoded version, in a way similar to that used for email > addresses. This would make the Unicode available for readability, but > it would also make it clear that the Unicode portion is not to be > relied on as authoritative (at least by human readers) for > distinguishing one name from another. It would also supply the > ASCII-encoded version for typing in, or copying and pasting--something > that would be convenient in many cases, especially since many > applications are not IDN-savvy, but also because some Unicode names > will not be easy to reproduce accurately by typing. > > Douglas Davidson > >
Received on Monday, 14 February 2005 21:14:01 UTC