[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Homographic attacks
Glenn, I agree with your thoughts precisely (and am copying them to the OASIS XRI TC mail list, where we are finishing XRI 2.0 and are addressing this in our "Security and Data Protection Considerations" section. This is also relevant to the XDI.ORG Global Services Specifications (http://gss.xdi.org) that will govern global XRI registry services, so I'm copying that list as well. That's actually the place that we can institute policy at the level of the registrars, preventing these from being registered in the first place. (One advantage you have when you're starting a whole new layer of infrastructure.) Of course, XRIs also have the additional advantage of supporting Unicode from the outset (they are based on the IETF/W3C IRI specifications, http://www.ietf.org/rfc/rfc3987.txt). While this doesn't free us entirely from the backwards-compatibility issues with punycode, the vast majority of internationalized XRIs will be UTF-8 clean right from the start. Please do send any other thoughts you might have on this issue. We'd love for you to review the XRI 2.0 drafts - links to the current versions are listed in section 5 of the Dataweb links page at http://xrixdi.idcommons.net/moin.cgi/DataWeb. Thanks much for your help, =Drummond -----Original Message----- From: Glenn Fleishman [mailto:glenn@glennf.com] Sent: Monday, February 21, 2005 5:21 PM To: Drummond Reed; Adam Engst Subject: Re: Homographic attacks >I'm copying Adam and Glenn so they know that this is something the XRI TC is >interested in helping prevent with XRIs. (Adam, Glenn, if you want to reply >with more info, you can reply back to me and I'll forward to the list.) Nice to hear from you. I'd argue this is the price of automation. The only reasonable way to solve this in an automated fashion is to build homographic/isomorphic tables of Unicode values coupled with common Roman characters. In such a system, any single or multiple substitution in a well-known name would be flagged before it was issued. Further, the whole punycode system is a giant, ugly hack to get around fundamental problems in the support of Unicode within the fiber of the Internet! So I'm not sure precisely whether or not there's a solution except through human review and/or homographic analysis. -- Glenn Fleishman seattle, washington work and home: glennf.com wireless data news: wifinetnews.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]