[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: BIDI (was: Stringprep Considered Harmful)

To: ietf-ldapbis@OpenLDAP.org
Subject: Re: BIDI (was: Stringprep Considered Harmful)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 17 Nov 2004 09:43:11 -0800
In-reply-to: <6.1.2.0.0.20041117090742.02ef8100@127.0.0.1>
References: <0CAE7C1A-31B2-11D9-ADDC-000A957D48A8@ricilake.net> <6.1.2.0.0.20041109123329.02ed39e8@127.0.0.1> <3F94FD6A-342A-11D9-ADDC-000A957D48A8@ricilake.net> <419449BC.6010003@eb2bcom.com> <6.1.2.0.0.20041113091926.031def28@127.0.0.1> <2F276C9F-36E1-11D9-A5A2-000A957D48A8@ricilake.net> <6.1.2.0.0.20041115171902.02fabc90@127.0.0.1> <6.1.2.0.0.20041117090742.02ef8100@127.0.0.1>

At 09:10 AM 11/17/2004, Kurt D. Zeilenga wrote:
>I have received the following comment regarding removal
>of the BIDI restrictions in LDAPPprep:
>   If you're absolutely sure that these are strings that
>   will not be compared visually by humans, that is OK.
>   If humans are supposed to be involved, you are possibly
>   creating a very dangerous situation.

This is was my response to the above comment.
 I suspect there are cases where humans may visually compare  
 these strings.  However, it's been noted that there are numerous
 other visual spoofing attacks which can be made.  It's also
 clear that even with BIDI restrictions, humans could be presented
 with strings to compare which do not adhere to the BIDI restrictions.
 This is because the BIDI restrictions impact how implementations
 do comparisons, they do not impact what Unicode string can or cannot
 be transferred by LDAP (or stored by LDAP implementations).  My
 suggestion is that visual spoofing (BIDI and other) concerns can
 be addressed through security considerations, namely by stating
 (much like IRI I-D does) guidelines for input and rendering of
 BIDI values.

Kurt

References:
- Stringprep Considered Harmful
  - From: Rici Lake <rici@ricilake.net>
- Re: Stringprep Considered Harmful
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Stringprep Considered Harmful
  - From: Rici Lake <rici@ricilake.net>
- Re: Stringprep Considered Harmful
  - From: Steven Legg <steven.legg@eb2bcom.com>
- Re: Stringprep Considered Harmful
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Stringprep Considered Harmful
  - From: Rici Lake <rici@ricilake.net>
- BIDI (was: Stringprep Considered Harmful)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: BIDI (was: Stringprep Considered Harmful)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: BIDI (was: Stringprep Considered Harmful)
Next by Date: Re: BIDI (was: Stringprep Considered Harmful)
Index(es):
- Chronological
- Thread