RE: [xri] GCS Spoofing

["Wachob, Gabe" <gwachob@visa.com>]

I meant to say "note these issues in a security issues section of the
Syntax document".  

   -Gabe

> -----Original Message-----
> From: Wachob, Gabe [mailto:gwachob@visa.com] 
> Sent: Tuesday, September 20, 2005 10:59 AM
> To: William Tan; Sakimura, Nat
> Cc: Drummond Reed; Chetan Sabnis; xri@lists.oasis-open.org
> Subject: RE: [xri] GCS Spoofing
> 
> Guys-
> 	I'm glad to see we're coming to consensus here. I'd entertain a
> separate effort to document best practices and security 
> issues with the
> XRI syntax, especially with regards to spoofing. I'd guess, however,
> that this effort should wait until we have *some* significant
> deployment. Perhaps we just note these issues in the syntax issues and
> defer more in-depth best practice recommendations until we have more
> real world experience?
> 
> 	-Gabe
> 
> > -----Original Message-----
> > From: William Tan [mailto:william.tan@neustar.biz] 
> > Sent: Tuesday, September 20, 2005 10:40 AM
> > To: Sakimura, Nat
> > Cc: Drummond Reed; Chetan Sabnis; xri@lists.oasis-open.org
> > Subject: Re: [xri] GCS Spoofing
> > 
> > Hi Nat,
> > > If we were to ban all the look alikes, I would add Japanese 
> > 'ten' as 
> > > another candidate for GCS '+' look alike. 
> > > Perhaps, character 'soil' is another candidate. Would 
> hiragana 'no' 
> > > be a look alike for '@' ? It would not be for a Japanese, 
> > but it may be 
> > > for other people. And ... banning these characters would 
> defeat the 
> > > purpose of having international characters in XRI, because 
> > somebody's 
> > > name would no more be able to be expressible by XRI. 
> > >   
> > Ok, let's not go there. I was convinced long ago that we can't ban 
> > characters, especially not when they're simply visually 
> similar, but 
> > semantically very different.
> > > I agree with William that this "restriction problem" 
> should not be 
> > > a part of the spec. I would much rather leave it as the 
> > recommendation 
> > > for the client applications. As I have written in the 
> > previous mail, 
> > > it would be rather trivial for the client software to make 
> > the real GCS 
> > > characters discernable for the user. 
> > >   
> > I think that is a fairly interesting proposal. Also, we may want to 
> > drive home the point that punctuations, spacing, symbols 
> (potentially 
> > other categories) characters should be avoided when creating XRI 
> > authorities. Client application may want to warn the user 
> of any such 
> > character classes that are not explicitly allowed as XRI syntax 
> > characters appearing in the authority segment.
> > 
> > wil.
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  You may a link to this group and all 
> > your TCs in OASIS
> > at:
> > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> > oups.php 
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all 
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php 
> 
>