headers
Michel Suignard | 14 Sep 2004 01:43
Picon
Favicon

IDNA and Control codes (0-1F) and 7F

By excluding table C.2.1 from the StringPrep profile used by IDNA, the
ToASCII operation allows all C0 control codes and 7F in its default mode
(UseSTD3ASCIIRules flag unset). This is rather troublesome as these
control codes, especially the 00 value, may create all sorts of issues
for run time libraries that use zero as string terminator on input. When
such usage is performed it makes quite cumbersome to detect when the
zero character is a terminator or part of the character string itself.
I understand the value of allowing all ASCII non control characters but
allowing by default the control characters in a ToASCII function seems
to open the door for all sorts of abuse and security risks.

Would a library that by default only allow the range 20-7E be still
considered conformant? In all cases, it would still honor the
UseSTD3ASCIIRules. Allowing the C0 control codes and 7F doesn't seem
that useful. I would have preferred to have a default mode excluding
them and if the full 00-7F is really required make it another optional
flag.

Was this intended? Or is it an error? Or maybe I am not reading the spec
correctly ;-)

Michel
----------
References:
RFC 3490 IDNA, section 2. Terminology says:
<<
An "internationalized label" is a label to which the ToASCII operation
(see instruction 4) can be applied without failing (with the
UseSTD3ASCIIRules flag unset).
>>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Paul Hoffman / IMC | 14 Sep 2004 02:33
Picon

Re: IDNA and Control codes (0-1F) and 7F

At 4:43 PM -0700 9/13/04, Michel Suignard wrote:
>By excluding table C.2.1 from the StringPrep profile used by IDNA, the
>ToASCII operation allows all C0 control codes and 7F in its default mode
>(UseSTD3ASCIIRules flag unset).

There is no "default mode" for IDNA. This was debated, but in the end 
we had to allow both methods of processing names. If anything, the 
UseSTD3ASCIIRules flag being *set* is probably the default for most 
systems processing domain names today, probably unconsciously.

>Would a library that by default only allow the range 20-7E be still
>considered conformant? In all cases, it would still honor the
>UseSTD3ASCIIRules. Allowing the C0 control codes and 7F doesn't seem
>that useful. I would have preferred to have a default mode excluding
>them and if the full 00-7F is really required make it another optional
>flag.

If such a library followed the IDNA spec with the UseSTD3ASCIIRules 
being set, it would certainly be conformant.

--Paul Hoffman, Director
--Internet Mail Consortium
Permalink | Reply | 0 comments |
headers
Adam M. Costello | 14 Sep 2004 08:57

Re: IDNA and Control codes (0-1F) and 7F

Michel Suignard <michelsu <at> windows.microsoft.com> wrote:

> By excluding table C.2.1 from the StringPrep profile used by IDNA, the
> ToASCII operation allows all C0 control codes and 7F in its default
> mode (UseSTD3ASCIIRules flag unset).

As Paul said, there is no default mode.  It is up to the application
to decide whether to set UseSTD3ASCIIRules.  Of course a library could
make one mode or the other the default, and it is free to choose either
mode to be the default.  A library could also, I suppose, implement only
one mode or the other, in which case I guess it would be an incomplete
conformant implementation of ToASCII.

> This is rather troublesome as these control codes, especially the 00
> value, may create all sorts of issues for run time libraries that use
> zero as string terminator on input.

If the programming environment customarily uses a string representation
that does not allow embedded NULs to be represented, then it will be a
moot point whether your ToASCII implementation handles NUL correctly,
because it cannot be tested anyway.  You can reasonably claim that it's
not your IDN library that's incomplete, but the programming environment
that's incomplete.

Note that ToASCII and ToUnicode will never try to output an embedded NUL
character if they never receive an embedded NUL character as input.

For an example of a C library that handles embedded NULs, see GNU
libidn:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Krall, Gary | 14 Sep 2004 22:30
Picon
Favicon

RE: IDNA and Control codes (0-1F) and 7F

All:

Just as an fyi, the C library in the Verisign SDK ("Xcode") has the
UseSTD3ASCIIRules  rule set by default.  It is a compile switch option which
can be changed in the library's configuration file.

Also note that the library does not accept null characters embedded in input
strings regardless of how this flag is set. Control characters other than
null will pass through as expected without the std3 flag set.

Gary.

-----Original Message-----
From: Adam M. Costello [mailto:idn.amc+0 <at> nicemice.net.RemoveThisWord]
Sent: Monday, September 13, 2004 11:58 PM
To: IETF idn working group
Subject: Re: [idn] IDNA and Control codes (0-1F) and 7F

Michel Suignard <michelsu <at> windows.microsoft.com> wrote:

> By excluding table C.2.1 from the StringPrep profile used by IDNA, the
> ToASCII operation allows all C0 control codes and 7F in its default
> mode (UseSTD3ASCIIRules flag unset).

As Paul said, there is no default mode.  It is up to the application
to decide whether to set UseSTD3ASCIIRules.  Of course a library could
make one mode or the other the default, and it is free to choose either
mode to be the default.  A library could also, I suppose, implement only
one mode or the other, in which case I guess it would be an incomplete
conformant implementation of ToASCII.
(Continue reading)

Permalink | Reply | 0 comments |
headers
JFC (Jefsey) Morfin | 15 Sep 2004 00:31

RE: IDNA and Control codes (0-1F) and 7F

Dear Gary,
were can this DSK be found. Or is it proprietary?
thanks
jfc morfin

At 22:30 14/09/2004, Krall, Gary wrote:

>All:
>
>Just as an fyi, the C library in the Verisign SDK ("Xcode") has the
>UseSTD3ASCIIRules  rule set by default.  It is a compile switch option which
>can be changed in the library's configuration file.
>
>Also note that the library does not accept null characters embedded in input
>strings regardless of how this flag is set. Control characters other than
>null will pass through as expected without the std3 flag set.
>
>Gary.
>
>-----Original Message-----
>From: Adam M. Costello [mailto:idn.amc+0 <at> nicemice.net.RemoveThisWord]
>Sent: Monday, September 13, 2004 11:58 PM
>To: IETF idn working group
>Subject: Re: [idn] IDNA and Control codes (0-1F) and 7F
>
>
>Michel Suignard <michelsu <at> windows.microsoft.com> wrote:
>
> > By excluding table C.2.1 from the StringPrep profile used by IDNA, the
> > ToASCII operation allows all C0 control codes and 7F in its default
(Continue reading)

Permalink | Reply | 0 comments |
headers
Krall, Gary | 15 Sep 2004 01:06
Picon
Favicon

RE: IDNA and Control codes (0-1F) and 7F

Jefsey:

Our SDK (which includes both C as well as a Java implementation) is open
sourced and covered under BSD licensing provisions.  For the specific
information about our library you may go to:  

http://www.verisign.com/products-services/naming-and-directory-services/nami
ng-services/internationalized-domain-names/idn-registrars/page_001408.html

Additionally for a list of current environments which support IDNA (includes
both applications as well as programming languages) you may go to:

http://www.verisign.com/products-services/naming-and-directory-services/nami
ng-services/internationalized-domain-names/page_002201.html

Hope this helps.

Gary.

-----Original Message-----
From: JFC (Jefsey) Morfin [mailto:jefsey <at> jefsey.com]
Sent: Tuesday, September 14, 2004 3:32 PM
To: Krall, Gary; 'IETF idn working group'
Subject: RE: [idn] IDNA and Control codes (0-1F) and 7F

Dear Gary,
were can this DSK be found. Or is it proprietary?
thanks
jfc morfin
(Continue reading)

Permalink | Reply | 3 comments |
headers
Joel Rowbottom | 23 Sep 2004 13:54

Re: Re:

At 12:40 23/09/2004, Harald wrote:

>[]
><virus attachment removed>

Please can someone LART this joker from the list. It's getting annoying now.

--
  Joel Rowbottom, http://www.centralnic.com - CTO and self-confessed Unix geek
  <t> +44 (0)20 7751 9000   <f> +44 (0)20 7736 9253   <e> joel <at> centralnic.com
  # Note: Contents may not necessarily represent the opinions of CentralNic.
Permalink | Reply | 1 comment |
headers
William Tan | 24 Sep 2004 22:03
Favicon
Gravatar

Re: Re:

It's probably forged by a worm. You might want to configure your mail 
scanner to reject virus-infected mails at SMTP stage rather than 
sanitizing it.

Cheers,
wil.

Joel Rowbottom wrote:

> At 12:40 23/09/2004, Harald wrote:
>
>> []
>> <virus attachment removed>
>
>
> Please can someone LART this joker from the list. It's getting 
> annoying now.
>
>
> -- 
>  Joel Rowbottom, http://www.centralnic.com - CTO and self-confessed 
> Unix geek
>  <t> +44 (0)20 7751 9000   <f> +44 (0)20 7736 9253   <e> 
> joel <at> centralnic.com
>  # Note: Contents may not necessarily represent the opinions of 
> CentralNic.
>
>
(Continue reading)

Permalink | Reply | 0 comments |

Gmane