"Adam M. Costello" <[EMAIL PROTECTED]> writes: > I have no objection. We might be able to compact it a bit: > > Domain names are used by users to identify and connect to Internet > servers. The security of the Internet is compromised if a user > entering a single internationalized name is connected to different > servers based on different interpretations of the internationalized > domain name. > > When systems use local character sets other than ASCII and Unicode, > this specification leaves the transcoding problem up to the > application. If applications implement different transcoding rules, > they could interpret the same name differently and contact different > servers. This problem is not solved by security protocols like TLS > that do not take local character sets into account. > > [I didn't change the first paragraph except to remove the last > sentence.] > > Simon, does that still say everything you want it to?
Sure. Before the last sentence it could be useful to also add something like: "Furthermore, if a single application uses one mapping table in one version, and a subsequent version of the application uses a modified mapping table, different interpretations of the same internationalized text string may be possible even within the same application which has security implications." Perhaps it didn't come out very clearly, I was trying to explain that if mapping tables are modified over time (in a way that Unicode CK normalization does not cancel out) it will be exploitable.
