[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: BIDI (was: Stringprep Considered Harmful)
At 09:10 AM 11/17/2004, Kurt D. Zeilenga wrote:
>I have received the following comment regarding removal
>of the BIDI restrictions in LDAPPprep:
> If you're absolutely sure that these are strings that
> will not be compared visually by humans, that is OK.
> If humans are supposed to be involved, you are possibly
> creating a very dangerous situation.
This is was my response to the above comment.
I suspect there are cases where humans may visually compare
these strings. However, it's been noted that there are numerous
other visual spoofing attacks which can be made. It's also
clear that even with BIDI restrictions, humans could be presented
with strings to compare which do not adhere to the BIDI restrictions.
This is because the BIDI restrictions impact how implementations
do comparisons, they do not impact what Unicode string can or cannot
be transferred by LDAP (or stored by LDAP implementations). My
suggestion is that visual spoofing (BIDI and other) concerns can
be addressed through security considerations, namely by stating
(much like IRI I-D does) guidelines for input and rendering of
BIDI values.
Kurt