Mark Davis <[EMAIL PROTECTED]> wrote: > When stringprep is used correctly, loose vs loose comparisons alone > will never happen.
At the very least, we need to spell that out in the stringprep spec. We need to say that the ultimate purpose of the guidelines about "stored strings" and "query strings" is to make sure that two loosely prepared strings are never compared. That will at least give people a better chance of figuring out when they can safely use loose stringprep. I also suggest adding an explicit requirement that applications must use strict stringprep whenever there is doubt. They may use loose stringprep only when they know that the string will not be compared with another loosely prepared string (for example, when they are putting the string into a protocol slot that is used only for comparisons with strictly prepared strings; DNS queries qualify if we add a requirement to IDNA prohibiting DNS servers from serving loosely-prepared names). I think that's the least we should do. We could go even further and always prohibit unassigned code points. That would occasionally inconvenience people (who would have to upgrade their software), but would be a lot simpler and would avoid confusing people when new characters silently fail to match. AMC
