OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: Homographic attacks


Glenn,

I agree with your thoughts precisely (and am copying them to the OASIS XRI
TC mail list, where we are finishing XRI 2.0 and are addressing this in our
"Security and Data Protection Considerations" section.

This is also relevant to the XDI.ORG Global Services Specifications
(http://gss.xdi.org) that will govern global XRI registry services, so I'm
copying that list as well. That's actually the place that we can institute
policy at the level of the registrars, preventing these from being
registered in the first place. (One advantage you have when you're starting
a whole new layer of infrastructure.)

Of course, XRIs also have the additional advantage of supporting Unicode
from the outset (they are based on the IETF/W3C IRI specifications,
http://www.ietf.org/rfc/rfc3987.txt). 

While this doesn't free us entirely from the backwards-compatibility issues
with punycode, the vast majority of internationalized XRIs will be UTF-8
clean right from the start.

Please do send any other thoughts you might have on this issue. We'd love
for you to review the XRI 2.0 drafts - links to the current versions are
listed in section 5 of the Dataweb links page at
http://xrixdi.idcommons.net/moin.cgi/DataWeb.

Thanks much for your help,

=Drummond 

-----Original Message-----
From: Glenn Fleishman [mailto:glenn@glennf.com] 
Sent: Monday, February 21, 2005 5:21 PM
To: Drummond Reed; Adam Engst
Subject: Re: Homographic attacks

>I'm copying Adam and Glenn so they know that this is something the XRI TC
is
>interested in helping prevent with XRIs. (Adam, Glenn, if you want to reply
>with more info, you can reply back to me and I'll forward to the list.)

Nice to hear from you.

I'd argue this is the price of automation. The only reasonable way to solve
this in an automated fashion is to build homographic/isomorphic tables of
Unicode values coupled with common Roman characters. In such a system, any
single or multiple substitution in a well-known name would be flagged before
it was issued.

Further, the whole punycode system is a giant, ugly hack to get around
fundamental problems in the support of Unicode within the fiber of the
Internet!

So I'm not sure precisely whether or not there's a solution except through
human review and/or homographic analysis.
--
Glenn Fleishman
seattle, washington
work and home: glennf.com
wireless data news: wifinetnews.com




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]