[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Stringprep Considered Harmful (A concrete example)

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: Stringprep Considered Harmful (A concrete example)
From: Rici Lake <rici@ricilake.net>
Date: Tue, 9 Nov 2004 10:15:11 -0500
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <HBF.20041109ogwg@bombur.uio.no>
References: <0CAE7C1A-31B2-11D9-ADDC-000A957D48A8@ricilake.net> <HBF.20041109ogwg@bombur.uio.no>


On 9-Nov-04, at 5:53 AM, Hallvard B Furuseth wrote:

Yes.  I don't know much about your specific examples, but in general
I've never understood why people feel the advantages of error returns
from stringprep are more important than the problems they cause.


Let me be clear. I think that IDNA is a perfectly acceptable way to
internationalise domain names. However, it differs from LDAP in that
it defines a canonical comparison rule for a specific naming domains
(DNS domain names) whereas LDAP is intended to be a general purpose
protocol applicable to a wide variety of naming domains.

Here is a concrete example (which requires a unicode mail reader, sorry.)

I don't speak Arabic, so I hope it is not rude; the example word comes
from Simon Josefsson's example page; I simply modified it to be a full
domain name

Suppose that this domain has been registered:

Mohammed@ليهمابتكلموشعربي؟.com.nu

(I believe .nu accepts IDNA domains)

IBM's idna demo page: <http://oss.software.ibm.com/cgi-bin/icu/idnademo? t=www.ليهمابتكلموشعربي؟.com.nu>

shows the ToAscii transform of this domain name as:

  www.xn--egbpdaj6bu4bxfgehfvwxn.com.nu

You can see that the transformation has been done component by component (label by label, as IDNA says). The bidi rule succeeded on each component. Changing the first . to a - makes the first label invalid:

  www-ليهمابتكلموشعربي؟.com.nu

<http://oss.software.ibm.com/cgi-bin/icu/idnademo?t=www- ليهمابتكلموشعربي؟.com.nu>

So the second one is not a valid domain name. (That's irrelevant, I just wanted to show what happens when the bidi rule fails.)

However, if the bidi rule is applied to the domain name *as a whole*, both will fail. Use of this domain name in an LDAP directory would be fine

  cn=Mohammed,dc=www,dc=-ليهمابتكلموشعربي؟,dc=com,dc=nu

However, the above cannot itself be used as a (useful) DirectoryString because it will not match even itself.

If the LDAP directory contained email addresses:

  email: Mohammed@ليهمابتكلموشعربي؟.com.nu

Now this attribute is almost completely useless to me. While I could search the directory for email addresses by suffix: (email=*com.nu), It would not show up in the list because the stored value fails the bidi test. I cannot search the directory for that particular domain name: (email=*@ليهمابتكلموشعربي؟.com.nu) because the assertion will fail the bidi test. If I get desperate and try to Modify the address to insert the idna-transformed using {delete email=Mohammed@ليهمابتكلموشعربي؟.com.nu, add email=Mohammed@xn--egbpdaj6bu4bxfgehfvwxn.com.nu}, the delete will fail because the bidi rule fails. (That might not be a disaster in this case, but it is easy to see where it might be.)

I hope that makes my concern clearer.

Follow-Ups:
- Re: Stringprep Considered Harmful (A concrete example, small correction)
  - From: Rici Lake <rici@ricilake.net>

References:
- Stringprep Considered Harmful
  - From: Rici Lake <rici@ricilake.net>
- Re: Stringprep Considered Harmful
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: T.61 -> Unicode conversion
Next by Date: Re: Stringprep Considered Harmful (A concrete example, small correction)
Index(es):
- Chronological
- Thread