Re: BIDI (was: Stringprep Considered Harmful)

[Rici Lake <rici@ricilake.net>]

On 17-Nov-04, at 12:10 PM, Kurt D. Zeilenga wrote:

> I have received the following comment regarding removal
> of the BIDI restrictions in LDAPPprep:
>    If you're absolutely sure that these are strings that
>    will not be compared visually by humans, that is OK.
>    If humans are supposed to be involved, you are possibly
>    creating a very dangerous situation.
>
> Kurt

I believe that the above comment is applicable to strings
which have been, for example, digitally signed and are being
used for verification purposes. This situation occurs in
the human validation of an SSL certificate, for example.

I do not believe that this is either a common case in a
directory, a problem unique to bidi visual spoofing, or
worth the the restrictions it would place on the usability
of an LDAP directory.

As I said, rather off-handedly, in a previous message,
any descriptive text can be a lie.

cn: Rici Lake
description: three-time nobel prize winner

Admittedly, that particular lie would probably not pass
most people's skepticism filter, but the success of lies
transmitted by email ("I represent the family of a deceased
Nigerian millionaire....") leads me to wonder.

Visual spoofing is just another type of lie. The only problem
occurs when the truth has been certified by a trusted third
party, and the lie is visually indistinguishable from the truth
(and I would like to add, that the lie has also been certified
but by a non-trusted third party; unfortunately most people
have not been sufficiently educated about PKI and friends to
even notice this detail).

I truly do not understand why bidi visual spoofing has been
identified as The One Big Problem when there are a huge
number of visual spoofing attacks which have nothing to
with bidi. (I believe that www.paypaI.com was even used
as a visual spoof at some point, based on the use of sans
serif fonts, but there are a number of other spoofs which
are less font-dependent, such as the use of Cyrillic and
Greek characters which are indistinguishable, pixel by pixel,
from Latin characters.)

I would hate to think that the elevated profile of bidi attacks
is the result of some kind of subconscious prejudice against
right-to-left languages, although these days you can never tell.
In any event, users of utf-8-enabled mail client are invited to
visually verify the identity of the following common name:

cn: Міϲrοѕоft Іnс

There are a few IA5 characters in there, and the spacing (at least
on the Mac OS X font I'm using) is slightly imperfect, but I suspect
that it would be accepted by more people than believe in recently
deceased Nigerian millionaires.

I also suspect that most non-arabic readers would not do well at
visually distinguishing Arabic words from each other, with or
without bidi spoofing.

It is not, in my opinion, the business of a directory protocol to
police the contents of the directory. It would be just as inappropriate
to, for example, syntactically prohibit the use of pornographic words in
a descriptive text string, even though such words may trigger strong
cultural rejection amongst certain user communities (viz. the discussion
of the .xxx TLD in Arabic).

Any such protection should be performed by application specific
protocols, such as IDNA, in combination with sensible security
policies on digital signatures and verification of certificate
authorities, and a lot more public education than has been done
up to now. ("Watch out! There are monsters on the Net!" does not
count as adequate public education.)

Rici