[Date Prev][Date Next] [Chronological] [Thread] [Top]

BIDI (was: Stringprep Considered Harmful)

To: Rici Lake <rici@ricilake.net>
Subject: BIDI (was: Stringprep Considered Harmful)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 16 Nov 2004 23:45:36 -0800
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <2F276C9F-36E1-11D9-A5A2-000A957D48A8@ricilake.net>
References: <0CAE7C1A-31B2-11D9-ADDC-000A957D48A8@ricilake.net> <6.1.2.0.0.20041109123329.02ed39e8@127.0.0.1> <3F94FD6A-342A-11D9-ADDC-000A957D48A8@ricilake.net> <419449BC.6010003@eb2bcom.com> <6.1.2.0.0.20041113091926.031def28@127.0.0.1> <2F276C9F-36E1-11D9-A5A2-000A957D48A8@ricilake.net>

I've given this a new subject heading to indicate the scope
of the discussion has narrowed to the question of whether
LDAPprep should or not ignore BIDI (as discussed in Section
6 of [Stringprep]), in particular in the general-purpose
text matching rules, e.g., caseIgnoreMatch and friends.

There have been a number of good points made in this thread.

I believe these matching rules are generally applicable to
the matching text values, and in particular short descriptive
text (e.g., values used in naming).  I believe they are not
applicable to the matching values of non-text abstractions,
such as DNs, domain names, email addresses, and URIs.  Use
of text matching rules will lead to inappropriate matching
including rule(A,A') evaluating to FALSE even though A and A'
are represent the same abstract value and rule(A,B)
evaluating to TRUE even though A and B represent two
non-equivalent abstract values.  (I believe we need to
explicitly state the applicability of these rules)

It is recognized that the Standard Track does not yet
include matching rules appropriate to match
internationalized domain names (or domain components),
email addresses (or local-parts), or URIs.  This is an
area where future standardization is needed and, in
particular, something this WG likely could consider
undertaking after we deliver the revised LDAP TS.

It can be argued that the text rules are not well suited
(regardless of BIDI issue) for matching large values of
running text (e.g., anything more than a line of text).

With all of the above in mind, the question can be narrowed
to whether or not ignoring BIDI makes sense for matching
rules designed to support short descriptive text, such
as values used in naming objects.  For instance, common
names and postal addresses.

Rici detailed his belief that ignoring BIDI makes sense for
short descriptive text.  I find the most of compelling of
his arguments to be those with values of common names
and postal address lines.

And while I believe BIDI (and other) spoofing attacks are
applicable to naming values, I think we can address these
by stating appropriate security considerations.

Hence, I support removal of the BIDI restrictions from
LDAPprep.

-- Kurt

Follow-Ups:
- Re: BIDI (was: Stringprep Considered Harmful)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: BIDI (was: Stringprep Considered Harmful)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Stringprep Considered Harmful
  - From: Rici Lake <rici@ricilake.net>
- Re: Stringprep Considered Harmful
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Stringprep Considered Harmful
  - From: Rici Lake <rici@ricilake.net>
- Re: Stringprep Considered Harmful
  - From: Steven Legg <steven.legg@eb2bcom.com>
- Re: Stringprep Considered Harmful
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Stringprep Considered Harmful
  - From: Rici Lake <rici@ricilake.net>

Prev by Date: Re: LDAPprep: mapping of " " values
Next by Date: Re: BIDI (was: Stringprep Considered Harmful)
Index(es):
- Chronological
- Thread