OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xri] GCS Spoofing

Guys-
	I'm glad to see we're coming to consensus here. I'd entertain a
separate effort to document best practices and security issues with the
XRI syntax, especially with regards to spoofing. I'd guess, however,
that this effort should wait until we have *some* significant
deployment. Perhaps we just note these issues in the syntax issues and
defer more in-depth best practice recommendations until we have more
real world experience?

	-Gabe

> -----Original Message-----
> From: William Tan [mailto:william.tan@neustar.biz] 
> Sent: Tuesday, September 20, 2005 10:40 AM
> To: Sakimura, Nat
> Cc: Drummond Reed; Chetan Sabnis; xri@lists.oasis-open.org
> Subject: Re: [xri] GCS Spoofing
> 
> Hi Nat,
> > If we were to ban all the look alikes, I would add Japanese 
> 'ten' as 
> > another candidate for GCS '+' look alike. 
> > Perhaps, character 'soil' is another candidate. Would hiragana 'no' 
> > be a look alike for '@' ? It would not be for a Japanese, 
> but it may be 
> > for other people. And ... banning these characters would defeat the 
> > purpose of having international characters in XRI, because 
> somebody's 
> > name would no more be able to be expressible by XRI. 
> >   
> Ok, let's not go there. I was convinced long ago that we can't ban 
> characters, especially not when they're simply visually similar, but 
> semantically very different.
> > I agree with William that this "restriction problem" should not be 
> > a part of the spec. I would much rather leave it as the 
> recommendation 
> > for the client applications. As I have written in the 
> previous mail, 
> > it would be rather trivial for the client software to make 
> the real GCS 
> > characters discernable for the user. 
> >   
> I think that is a fairly interesting proposal. Also, we may want to 
> drive home the point that punctuations, spacing, symbols (potentially 
> other categories) characters should be avoided when creating XRI 
> authorities. Client application may want to warn the user of any such 
> character classes that are not explicitly allowed as XRI syntax 
> characters appearing in the authority segment.
> 
> wil.
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all 
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php 
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]