OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-taxii] Restrictions on resource names

Terry MacDonald wrote this message on Sun, Oct 16, 2016 at 08:47 +1300:
> My only concern with this is the fact it makes it easier to do phishing
> attacks. IDIs make it easier to make fake DNS names look like real ones (eg
> make a fake oasis-open.org using an a from a different language).

The IDN homograph attack is outside the scope of the specification, as
that is already a common problem and there are various ways to address
that.

We are only talking about one path component for TAXII.  If an administrator
allows the creation of similar names, they are responsible for the confusion
as a result.  I hope that TAXII servers will not allow arbitrary creation
of collections, or that some administrator will handle the curation of that.

> On 15 Oct. 2016 21:18, "Dave Cridland" <dave.cridland@surevine.com> wrote:
> 
> > On 14 Oct 2016 23:43, "John-Mark Gurney" <jmg@newcontext.com> wrote:
> > >
> > > Dave Cridland wrote this message on Tue, Oct 11, 2016 at 13:42 +0100:
> > > > And if you add in %-encoding, you can cover everyone's languages.
> > > > (Ignoring, for the moment, that we're talking about UTF-8 being percent
> > > > encoded into Latin-1).
> > >
> > > We should be using IRI[1][2] for TAXII, which address non-ASCII
> > characters is
> > > URLs.
> > >
> > > [1] https://en.wikipedia.org/wiki/Internationalized_Resource_Identifier
> > > [2] https://tools.ietf.org/html/rfc3987
> > >
> >
> > Judging by the discussion about I18n on the call last week, I think this
> > is the right path - it shows channel names to be IRI path segments, I
> > think, for which we should be able to pass the buck to an existing
> > definition.
> >
> > > > On 11 October 2016 at 13:40, Trey Darley <trey@kingfisherops.com>
> > wrote:
> > > >
> > > > > On 11.10.2016 09:19:00, Jason Keirstead wrote:
> > > > > > I think it would be overly limiting to not allow people to create
> > > > > > collection names with non-latin1 characters. People will want to
> > > > > > create collection names in their own language.
> > > > > >
> > > > >
> > > > > I concur with Jason.

-- 
John-Mark

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]