Presentation is loading. Please wait.

Presentation is loading. Please wait.

IDNAbis and Security Protocols or Internationalization Issues with Short Strings John C Klensin SAAG – 26 July 2007.

Published byRafe Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "IDNAbis and Security Protocols or Internationalization Issues with Short Strings John C Klensin SAAG – 26 July 2007."— Presentation transcript:

1 IDNAbis and Security Protocols or Internationalization Issues with Short Strings John C Klensin SAAG – 26 July 2007

2 IDNA as a Learning Experience Went out into unknown territory; inevitably learned some things Today’s talk will –Review what we learned –Summarize IDNAbis objectives and directions –Examine implications of the learning experience to security protocols

3 Some Lessons This group is not comprehensive Not IDNA-specific There are others

4 Expanding Standards ASCII (and ISO8859-1, 2, etc) are closed sets –All code points and characters allocated initially –No real need to deal with versioning Unicode grows This turns out to be more important than we realized

5 The Version/ Library Fallacy IDNA2003 and Stringprep assume –Unicode 3.2 –Revision for future versions –Implementations stable at 3.2 Applications call libraries –Libraries for Unicode migrating into OS –Version you get is the version you get –Even if API delivers version number, not useful So “version agnostic” isn’t a goal but a necessity

6 Good Behavior Assuming that everyone will follow the rules consistently is a bad idea –Don’t need to tell the security community that –Millions of zones/ “registries”, not a dozen or 250. Can’t find the Protocol Police

7 Exclusion Include everything unless you have a reason not to –Bad idea for expanding standards –Creates a lot of pressure to not have such reasons Compatibility mappings seemed like a good idea… for a while

8 Spoofing Look-alike and Confusable Characters Nothing new –0O, 1l –But lots more dramatic with large character collections –Note that a careful choice of fonts makes things less (or more) confusing No protocol or procedural fix –Can avoid making things worse than they need to be… and should –But largely a UI and User Awareness 1issue

9 Single Profile Applications are different –Different needs –Different profiles –Best character set for identifiers may not be best for passwords We knew this five years ago… And then proceeded, sometimes, to behave as if we didn’t

10 Words and Orthography “Words” have never been an expectation in the DNS IETF knows this; community keeps losing track New stress on –Mnemonics –No “right” to use particular strings in the DNS

11 IDNAbis Protocol has fewer variations User conveniences are a UI matter –No compatibility mappings –No case mappings –Prohibition of anything that IDNA2003 maps out –Inclusion, rather than exclusion of characters –Prohibition of “non-language” characters, symbols, punctuation,… Unassigned code points are banned –Can’t write rules for them

12 Character Classification, Not Tables as Specification Unicode Categories and Properties used to construct IDNA categories of characters combined to form IDNA rule-groupings applied differently for registration lookup / resolution

13 The Rule-Groupings Always Maybe Yes Maybe No Contextual Rule Required Never (and unassigned)

14 Registration Always Possibly Maybe Rule iff it exists and is valid Registry-imposed restrictions permitted and expected

15 Resolution Look up unless… –Never –Unassigned –Rule doesn’t exist –Rule fails The really dangerous cases will not be looked up even if they are registered (in violation of the protocol)

16 Other Changes Terminology: A-labels and U-labels Contextual rules permit some extra (and important) characters BIDI fixes

17 Surroundings No changes to Stringprep –(although you might want to make some) A DNS-embedded label that is valid today under protocol and all guidelines –Stays valid –Alternate forms in which that label could be written are generally prohibited –Some new labels permitted (including new scripts)

18 The Security Lessons First, IDNAbis does not require changes Some changes may be wise –Mostly on the basis of dealing with recently- understood risks Interoperability problems are different from Confusion problems –Usually neither are desirable –Protocol-level interoperability may be different from inter-user interoperability –For passwords and passphrases, controlled confusion may be an advantage

19 Serious Work to Get Thing Right Examine actual strings and uses –Generally, less variation is good –Some things may need to be more restricted than others When dealing with domain names –Usually will want to use A-labels in protocols and databases, with U-labels only as user mnemonics –There may be exceptions

20 Layering is Often Good Internationalization as a tool for Localization Be careful about getting tied up with “language” –Sometimes very important and necessary –But it introduces new problems and issues If exact comparisions (or rejection) are needed, don’t make that harder than needed.

21 Summary This needs to be done Changes in IDNA do not affect possible security changes and don’t need to be sequenced with them. Striving for simplicity and few options will make life better

Download ppt "IDNAbis and Security Protocols or Internationalization Issues with Short Strings John C Klensin SAAG – 26 July 2007."

Similar presentations

10 Rules To Manage Your Boss faster decisions, better decisions and more trust.

10 Rules To Manage Your Boss faster decisions, better decisions and more trust.
Internet Protocols and Innovation John C Klensin John C Klensin and Associates

Internet Protocols and Innovation John C Klensin John C Klensin and Associates
Whois Internationalization Issues John C Klensin.

Whois Internationalization Issues John C Klensin.
ICANN Rio Meeting IDN Authorization for TLDs with ICANN agreements 26 March, 2003 Andrew McLaughlin.

ICANN Rio Meeting IDN Authorization for TLDs with ICANN agreements 26 March, 2003 Andrew McLaughlin.
Internationalized Domain Names Introduction & Update MENOG 1 Bahrain April 3-5, 2007 By: Baher Esmat Middle East Liaison.

Internationalized Domain Names Introduction & Update MENOG 1 Bahrain April 3-5, 2007 By: Baher Esmat Middle East Liaison.
From UCS-2 to UTF-16 Discussion and practical example for the transition of a Unicode library from UCS-2 to UTF-16.

From UCS-2 to UTF-16 Discussion and practical example for the transition of a Unicode library from UCS-2 to UTF-16.
Internationalization Status and Directions: IETF, JET, and ICANN John C Klensin October 2002 © 2002 John C Klensin.

Internationalization Status and Directions: IETF, JET, and ICANN John C Klensin October 2002 © 2002 John C Klensin.
Internationalized Domain Names Status Report Prepared for: ICANN Meeting, Lisbon 29 March, 2007 Tina Dam IDN Program Director ICANN

Internationalized Domain Names Status Report Prepared for: ICANN Meeting, Lisbon 29 March, 2007 Tina Dam IDN Program Director ICANN
Finding an Apartment What is right for you? Click the arrow to continue.

Finding an Apartment What is right for you? Click the arrow to continue.
Arthur Fink Page 1 Thinking about User Interface Design for OpenEdge GUI for.NET (or any other environment) by Arthur Fink www.ArthurFink.Wordpress.com.

Arthur Fink Page 1 Thinking about User Interface Design for OpenEdge GUI for.NET (or any other environment) by Arthur Fink
1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.

1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.
1 Introducing Collaboration to Single User Applications A Survey and Analysis of Recent Work by Brian Cornell For Collaborative Systems Fall 2006.

1 Introducing Collaboration to Single User Applications A Survey and Analysis of Recent Work by Brian Cornell For Collaborative Systems Fall 2006.
Style Rules II: Names and Naming. Overview Today we will discuss: –Reasons for naming conventions –Rules for naming variables, classes, and methods.

Style Rules II: Names and Naming. Overview Today we will discuss: –Reasons for naming conventions –Rules for naming variables, classes, and methods.
Finding Analysis Classes Written by Zvika Gutterman Adam Carmi.

Finding Analysis Classes Written by Zvika Gutterman Adam Carmi.
Database Design Concepts Info 1408 Lecture 2 An Introduction to Data Storage.

Database Design Concepts Info 1408 Lecture 2 An Introduction to Data Storage.
28-Jun-15 Recognizers. 2 Parsers and recognizers Given a grammar (say, in BNF) and a string, A recognizer will tell whether the string belongs to the.

28-Jun-15 Recognizers. 2 Parsers and recognizers Given a grammar (say, in BNF) and a string, A recognizer will tell whether the string belongs to the.
Modules, Hierarchy Charts, and Documentation

Modules, Hierarchy Charts, and Documentation
Characters and Strings. Characters In Java, a char is a primitive type that can hold one single character A character can be: –A letter or digit –A punctuation.

Characters and Strings. Characters In Java, a char is a primitive type that can hold one single character A character can be: –A letter or digit –A punctuation.
Database Design Concepts Info 1408 Lecture 2 An Introduction to Data Storage.

Database Design Concepts Info 1408 Lecture 2 An Introduction to Data Storage.
Bully Free Freshman Class Session 3 Today all students will: Discuss reasons bullying must be stopped. Discuss the concepts of community and unity and.

Bully Free Freshman Class Session 3 Today all students will: Discuss reasons bullying must be stopped. Discuss the concepts of community and unity and.

Similar presentations

Ads by Google