[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] GCS Spoofing
Guys- I'm glad to see we're coming to consensus here. I'd entertain a separate effort to document best practices and security issues with the XRI syntax, especially with regards to spoofing. I'd guess, however, that this effort should wait until we have *some* significant deployment. Perhaps we just note these issues in the syntax issues and defer more in-depth best practice recommendations until we have more real world experience? -Gabe > -----Original Message----- > From: William Tan [mailto:william.tan@neustar.biz] > Sent: Tuesday, September 20, 2005 10:40 AM > To: Sakimura, Nat > Cc: Drummond Reed; Chetan Sabnis; xri@lists.oasis-open.org > Subject: Re: [xri] GCS Spoofing > > Hi Nat, > > If we were to ban all the look alikes, I would add Japanese > 'ten' as > > another candidate for GCS '+' look alike. > > Perhaps, character 'soil' is another candidate. Would hiragana 'no' > > be a look alike for '@' ? It would not be for a Japanese, > but it may be > > for other people. And ... banning these characters would defeat the > > purpose of having international characters in XRI, because > somebody's > > name would no more be able to be expressible by XRI. > > > Ok, let's not go there. I was convinced long ago that we can't ban > characters, especially not when they're simply visually similar, but > semantically very different. > > I agree with William that this "restriction problem" should not be > > a part of the spec. I would much rather leave it as the > recommendation > > for the client applications. As I have written in the > previous mail, > > it would be rather trivial for the client software to make > the real GCS > > characters discernable for the user. > > > I think that is a fairly interesting proposal. Also, we may want to > drive home the point that punctuations, spacing, symbols (potentially > other categories) characters should be avoided when creating XRI > authorities. Client application may want to warn the user of any such > character classes that are not explicitly allowed as XRI syntax > characters appearing in the authority segment. > > wil. > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all > your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr > oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]