[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Stringprep Considered Harmful (A concrete example)
On 9-Nov-04, at 5:53 AM, Hallvard B Furuseth wrote:
Yes. I don't know much about your specific examples, but in general
I've never understood why people feel the advantages of error returns
from stringprep are more important than the problems they cause.
Let me be clear. I think that IDNA is a perfectly acceptable way to
internationalise domain names. However, it differs from LDAP in that
it defines a canonical comparison rule for a specific naming domains
(DNS domain names) whereas LDAP is intended to be a general purpose
protocol applicable to a wide variety of naming domains.
Here is a concrete example (which requires a unicode mail reader,
sorry.)
I don't speak Arabic, so I hope it is not rude; the example word comes
from Simon Josefsson's example page; I simply modified it to be a full
domain name
Suppose that this domain has been registered:
Mohammed@ليهمابتكلموشعربي؟.com.nu
(I believe .nu accepts IDNA domains)
IBM's idna demo page:
<http://oss.software.ibm.com/cgi-bin/icu/idnademo?
t=www.ليهمابتكلموشعربي؟.com.nu>
shows the ToAscii transform of this domain name as:
www.xn--egbpdaj6bu4bxfgehfvwxn.com.nu
You can see that the transformation has been done component by component
(label by label, as IDNA says). The bidi rule succeeded on each
component.
Changing the first . to a - makes the first label invalid:
www-ليهمابتكلموشعربي؟.com.nu
<http://oss.software.ibm.com/cgi-bin/icu/idnademo?t=www-
ليهمابتكلموشعربي؟.com.nu>
So the second one is not a valid domain name. (That's irrelevant, I
just wanted to show what happens when the bidi rule fails.)
However, if the bidi rule is applied to the domain name *as a whole*,
both will fail. Use of this domain name in an LDAP directory would be
fine
cn=Mohammed,dc=www,dc=-ليهمابتكلموشعربي؟,dc=com,dc=nu
However, the above cannot itself be used as a (useful) DirectoryString
because
it will not match even itself.
If the LDAP directory contained email addresses:
email: Mohammed@ليهمابتكلموشعربي؟.com.nu
Now this attribute is almost completely useless to me. While I could
search the directory for email addresses by suffix: (email=*com.nu), It
would not show up in the list because the stored value fails the bidi
test. I cannot search the directory for that particular domain name:
(email=*@ليهمابتكلموشعربي؟.com.nu) because the assertion will fail the
bidi test. If I get desperate and try to Modify the address to insert
the idna-transformed using {delete
email=Mohammed@ليهمابتكلموشعربي؟.com.nu, add
email=Mohammed@xn--egbpdaj6bu4bxfgehfvwxn.com.nu}, the delete will fail
because the bidi rule fails. (That might not be a disaster in this
case, but it is easy to see where it might be.)
I hope that makes my concern clearer.