[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: BIDI (was: Stringprep Considered Harmful)

I have received the following comment regarding removal
of the BIDI restrictions in LDAPPprep:
   If you're absolutely sure that these are strings that
   will not be compared visually by humans, that is OK.
   If humans are supposed to be involved, you are possibly
   creating a very dangerous situation.

Kurt

At 11:45 PM 11/16/2004, Kurt D. Zeilenga wrote:
>I've given this a new subject heading to indicate the scope
>of the discussion has narrowed to the question of whether
>LDAPprep should or not ignore BIDI (as discussed in Section
>6 of [Stringprep]), in particular in the general-purpose
>text matching rules, e.g., caseIgnoreMatch and friends.
>
>There have been a number of good points made in this thread.
>
>I believe these matching rules are generally applicable to
>the matching text values, and in particular short descriptive
>text (e.g., values used in naming).  I believe they are not
>applicable to the matching values of non-text abstractions,
>such as DNs, domain names, email addresses, and URIs.  Use
>of text matching rules will lead to inappropriate matching
>including rule(A,A') evaluating to FALSE even though A and A'
>are represent the same abstract value and rule(A,B)
>evaluating to TRUE even though A and B represent two
>non-equivalent abstract values.  (I believe we need to
>explicitly state the applicability of these rules)
>
>It is recognized that the Standard Track does not yet
>include matching rules appropriate to match
>internationalized domain names (or domain components),
>email addresses (or local-parts), or URIs.  This is an
>area where future standardization is needed and, in
>particular, something this WG likely could consider
>undertaking after we deliver the revised LDAP TS.
>
>It can be argued that the text rules are not well suited
>(regardless of BIDI issue) for matching large values of
>running text (e.g., anything more than a line of text).
>
>With all of the above in mind, the question can be narrowed
>to whether or not ignoring BIDI makes sense for matching
>rules designed to support short descriptive text, such
>as values used in naming objects.  For instance, common
>names and postal addresses.
>
>Rici detailed his belief that ignoring BIDI makes sense for
>short descriptive text.  I find the most of compelling of
>his arguments to be those with values of common names
>and postal address lines.
>
>And while I believe BIDI (and other) spoofing attacks are
>applicable to naming values, I think we can address these
>by stating appropriate security considerations.
>
>Hence, I support removal of the BIDI restrictions from
>LDAPprep.
>
>-- Kurt