RE: Unicode and Security: Domain Names
The recent discussions of this list about Internet domain name spoofing through substitution of Unicode characters that have similar, or identical, glyphs is an issue that has recently appeared in print in a prominent journal: @String{j-CACM = "Communications of the ACM"} @Article{Gabrilovich:2002:IRH, author = "Evgeniy Gabrilovich and Alex Gontmakher", title ="Inside risks: The homograph attack", journal = j-CACM, volume = "45", number = "2", pages ="128--128", month =feb, year = "2002", CODEN ="CACMA2", ISSN = "0001-0782", bibdate = "Wed Jan 30 17:45:01 MST 2002", bibsource ="http://www.acm.org/pubs/contents/journals/cacm/";, acknowledgement = ack-nhfb, } Bruce Schneier also discussed this in the 15-Mar-2001, 15-Jul-2001, 15-Sep-2001, and 15-Nov-2001 issues of the CRYPTO-GRAM newsletter (available at http://www.counterpane.com/crypto-gram.html ) and gave these links for more info: http://www.theregister.co.uk/content/55/21573.html http://www.securityfocus.com/bid/3461 http://www.counterpane.com/crypto-gram-0007.html#9 http://www.securityfocus.com/focus/ids/articles/utf8.html --- - Nelson H. F. BeebeTel: +1 801 581 5254 - - Center for Scientific Computing FAX: +1 801 585 1640, +1 801 581 4148 - - University of UtahInternet e-mail: [EMAIL PROTECTED] - - Department of Mathematics, 322 INSCC [EMAIL PROTECTED] [EMAIL PROTECTED] - - 155 S 1400 E RM 233 [EMAIL PROTECTED]- - Salt Lake City, UT 84112-0090, USAURL: http://www.math.utah.edu/~beebe - ---
RE: Unicode and Security: Domain Names
> Are the actual domain names as stored in the DB going to be canonical > normalized Unicode strings? It seems this would go a long way towards > preventing spoofing ... Names will be stored according to a normalization called Nameprep. Read the Stringprep (general framework) and Nameprep (IDN application, or Stringprep profile) for details. This normalization includes a step of normalizing using NFKC, but it does more than that. no one would be allowed to register a non- > canonical > normalized domain name. Then, a resolver would be required to normalize > any > request string before the actual resolve. To keep the resolver's loads the same as today, client applications will do the normalization of their requests. If they don't normalize properly, the lookup will just fail. Read the IDNA document for more info on this. All normalized strings are encoded in a so-called ASCII Compatible Encoding which uses the restricted set of characters used in the DNS today (letters, digits, hyphen except at the extremities) for host names (which are different than STD13 names, cf. SRV RRs for example). Read IDNA, again, and Punycode, the chosen encoding. YA
RE: Unicode and Security: Domain Names
Moreover, the IDN WG documents are in final call, so if you have comments to make on them, now is the time. Visit http://www.i-d-n.net/ and subscribe to their mailing list (and read their archives) before doing so. The documents in last call are: 1. Internationalizing Domain Names in Applications (IDNA) http://www.ietf.org/internet-drafts/draft-ietf-idn-idna-06.txt 2. Stringprep Profile for Internationalized Host Names http://www.ietf.org/internet-drafts/draft-ietf-idn-nameprep-07.txt 3. Punycode version 0.3.3 http://www.ietf.org/internet-drafts/draft-ietf-idn-punycode-00.txt 4. Preparation of Internationalized Strings ("stringprep") http://www.ietf.org/internet-drafts/draft-hoffman-stringprep-00.txt and the last call will end on Feb 11th 2002, 23h59m GMT-5. There is little time left. YA
RE: Unicode and Security: Domain Names
I want to review these documents, but since time is short, maybe someone can answer my question... Are the actual domain names as stored in the DB going to be canonical normalized Unicode strings? It seems this would go a long way towards preventing spoofing ... no one would be allowed to register a non-canonical normalized domain name. Then, a resolver would be required to normalize any request string before the actual resolve. So my questions are: 1 - Am I way off base here? If so, why? 2 - If not, is it already addressed in these docs? 3 - If it is not in the docs, and the request makes sense, then I will make the effort to beat the deadline, which is next Monday. Thanks! Barry At 10:37 AM 2/8/2002 -0800, Yves Arrouye wrote: >Moreover, the IDN WG documents are in final call, so if you have comments to >make on them, now is the time. Visit http://www.i-d-n.net/ and sub-scribe >(with a hyphen here so that listar does not interpret my post as a command!) >to their mailing list (and read their archives) before doing so. > >The documents in last call are: > >1. Internationalizing Domain Names in Applications (IDNA) >http://www.ietf.org/internet-drafts/draft-ietf-idn-idna-06.txt > >2. Stringprep Profile for Internationalized Host Names >http://www.ietf.org/internet-drafts/draft-ietf-idn-nameprep-07.txt > >3. Punycode version 0.3.3 >http://www.ietf.org/internet-drafts/draft-ietf-idn-punycode-00.txt > >4. Preparation of Internationalized Strings ("stringprep") >http://www.ietf.org/internet-drafts/draft-hoffman-stringprep-00.txt > >and the last call will end on Feb 11th 2002, 23h59m GMT-5. There is little >time left. > >YA
RE: Unicode and Security: Domain Names
Moreover, the IDN WG documents are in final call, so if you have comments to make on them, now is the time. Visit http://www.i-d-n.net/ and sub-scribe (with a hyphen here so that listar does not interpret my post as a command!) to their mailing list (and read their archives) before doing so. The documents in last call are: 1. Internationalizing Domain Names in Applications (IDNA) http://www.ietf.org/internet-drafts/draft-ietf-idn-idna-06.txt 2. Stringprep Profile for Internationalized Host Names http://www.ietf.org/internet-drafts/draft-ietf-idn-nameprep-07.txt 3. Punycode version 0.3.3 http://www.ietf.org/internet-drafts/draft-ietf-idn-punycode-00.txt 4. Preparation of Internationalized Strings ("stringprep") http://www.ietf.org/internet-drafts/draft-hoffman-stringprep-00.txt and the last call will end on Feb 11th 2002, 23h59m GMT-5. There is little time left. YA
Re: Unicode and Security: Domain Names
In a message dated 2002-02-08 8:23:22 Pacific Standard Time, [EMAIL PROTECTED] writes: >> Does anyone know anything about RACE encoding and its properties? > > I wrote an article on IDNS in December of 2000 which discusses the > approaches which were being debated at that time, including RACE. RACE > is briefly described in that article. You can find it at: > > http://www-106.ibm.com/developerworks/library/u-domains.html > > I tried to find an updated internet draft on RACE, but looks like > nothing exists after version 4, which has been archived. I'm guessing > that draft names wich include the text BRACE, TRACE, and GRACE are > probably RACE variations however. Check them out at: > http://www.ietf.org/internet-drafts/ An ACE (ASCII-Compatible Encoding) has been chosen for IDN, and it is neither RACE nor DUDE. Its working name was AMC-ACE-Z, and it has since been renamed Punycode. (No, I don't like the name either.) A search for "punycode" in the internet-drafts directory that Suzanne mentioned will reveal the details you are looking for. Beware that in addition to Punycode, there is another step in the IDN process called "nameprep," which is basically an extended form of normalization to keep compatibility characters, non-spacing marks, directional overrides, and such out of domain names. Converting an arbitrary string through Punycode does not necessarily make it IDN-ready. -Doug Ewell Fullerton, California (address will soon change to dewell at adelphia dot net)
RE: Unicode and Security: Domain Names
> -Original Message- > From: Tom Gewecke [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 07, 2002 6:20 PM > To: [EMAIL PROTECTED] > Subject: Re: Unicode and Security: Domain Names > > > I note that companies like Verisign already claim to offer > "domain names" > in dozens of languages and scripts. Apparently these are converted by > something called RACE encoding to ASCII for actual use on the > internet. > > Does anyone know anything about RACE encoding and its properties? I wrote an article on IDNS in December of 2000 which discusses the approaches which were being debated at that time, including RACE. RACE is briefly described in that article. You can find it at: http://www-106.ibm.com/developerworks/library/u-domains.html I tried to find an updated internet draft on RACE, but looks like nothing exists after version 4, which has been archived. I'm guessing that draft names wich include the text BRACE, TRACE, and GRACE are probably RACE variations however. Check them out at: http://www.ietf.org/internet-drafts/ Suzanne Topping BizWonk Inc. [EMAIL PROTECTED]
RE: Unicode and Security: Domain Names
It is one of the competitors for internationalized domain names. The "ACE" stands for "ASCII Compatible Encoding". The encoding which appears likely to gain overall acceptance is called DUDE and can be found here: http://www.i-d-n.net/draft/draft-ietf-idn-dude-02.txt There are several ACE encoding demos on the 'Net (Mark Davis has one at www.macchiato.com, I have one at www.inter-locale.com) http://www.i-d-n.net is where you can find out about a whole zoo of Unicode transfer encoding schemes proposed for use in DNS, plus the relevant issues, of which there turn out to be a number when creating I18n domain names. The early implementers have mostly ignored these issues and the interplay between the ultimate standard and existing registrars should be interesting. Regards, Addison Addison P. Phillips Globalization Architect / Manager, Globalization Engineering webMethods, Inc. | The Business Integration Company 432 Lakeside Drive, Sunnyvale, California, USA +1 408.962.5487 (phone) +1 408.210.3569 (mobile) - Internationalization is an architecture. It is not a feature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Gewecke Sent: Thursday, February 07, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Unicode and Security: Domain Names I note that companies like Verisign already claim to offer "domain names" in dozens of languages and scripts. Apparently these are converted by something called RACE encoding to ASCII for actual use on the internet. Does anyone know anything about RACE encoding and its properties?
Re: Unicode and Security: Domain Names
I note that companies like Verisign already claim to offer "domain names" in dozens of languages and scripts. Apparently these are converted by something called RACE encoding to ASCII for actual use on the internet. Does anyone know anything about RACE encoding and its properties?