Re: IDN problem.... :(

Douglas Davidson wrote on 2/14/2005, 1:32 PM:

 >
 > On 2005-02-14 09:52:17 -0800 Frank Yung-Fong Tang <ytang0648@aol.com>
 > wrote:
 >
 > Frank,
 >
 > Perhaps we can take inspiration from something that we already have in
 > mail.  For example, when I see your address above, it looks like
 > "Frank Yung-Fong Tang <ytang0648@aol.com>".  In this the first part is
 > clearly intended to be the human-readable portion, and it would be
 > reasonable for you to put arbitrary Unicode in it--Chinese characters,
 > for example.  The second part is just as clearly intended to be the
 > authoritative machine-readable address.

Well... not exactly, people are working I18N email address too. We do 
have people want to see their email address looks like
譚永鋒@美國上線.公司

The "美國上線.公司" part is depend on IDN but there are people (at lease 
once upon a time) working to make the part before @ accept Unicode.

So ... if that happen. people may use yt + cyrillic a + ng0648@aol.com 
to fake email from me. Of course, since SMTP was not secure, this does 
not mean anything anyway. But for some other protocol, like IM id, we 
need to be more careful.

Also, as today what will happen if you got an email from 
FrankTang@paypal.com ? and the l is in cyrillic l ? Won't you think that 
is from Frank Tang who have a paypal.com account?


 >
 > In IDN we have something similar, with important differences.  There
 > is a human-readable version of the domain name, and there is an
 > encoded ASCII version.  The most significant difference here is that
 > there is a standard round-trip conversion between the two.  However,
 > this standard is showing certain failings, not in the round-trip
 > conversion between ASCII encoding and Unicode, but rather in the other
 > portion of the loop--from Unicode to glyphs on the screen to human
 > readability and back to typing in.  These failings suggest that we
 > should not place quite so much reliance on this conversion standard.

My opinion is the flaw is neither in the round trip conversion nor the 
visual representation of the characters, but the design of our UI. It is 
ok to make them round trip convert. It is ok to make them display look 
the same. IT is NOT ok to make two different thing display in the SAME 
place. There are no thing wrong if we display the IDN human readable 
format in the status bar or a floating tooltip. There are no problem if 
we accept user to type in the humanerable format and replace it with 
ASCII encoded format w/ what they typed in floating tooltip. I think the 
core issue of this security issue is in the UI.

It is really a presentation issue.

I don't think that is needed to put into the IDN. But I do think it will 
be nice if IDN task force can recommend a standard presentation when 
those IDN put inside a URL

 >
 > Perhaps we can develop a presentation form for IDN that would include
 > both the human-readable Unicode and also the authoritative
 > ASCII-encoded version, in a way similar to that used for email
 > addresses.  This would make the Unicode available for readability, but
 > it would also make it clear that the Unicode portion is not to be
 > relied on as authoritative (at least by human readers) for
 > distinguishing one name from another.  It would also supply the
 > ASCII-encoded version for typing in, or copying and pasting--something
 > that would be convenient in many cases, especially since many
 > applications are not IDN-savvy, but also because some Unicode names
 > will not be easy to reproduce accurately by typing.
 >
 > Douglas Davidson
 >
 >

Received on Monday, 14 February 2005 21:14:01 UTC