PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Unicode and Security
>
>
> In a message dated 2002-02-10 13:00:19 Pacific Standard Time,
> [EMAIL PROTECTED] writes:
>
> > However, I do continue to maintain that character confusion is a real
> >
In a message dated 2002-02-10 13:00:19 Pacific Standard Time,
[EMAIL PROTECTED] writes:
> However, I do continue to maintain that character confusion is a real
> security risk that will have real impact on users, and that needs to
> be considered in any system that uses Unicode.
We have alrea
Elliotte Rusty Harold scripsit:
> Another possibility is a super-normalization that does combine
> similar looking Unicode characters; e.g. in the domain name system we
> might decide that microsoft.com with Latin o's or Cyrillic o's or
> Greek o's is to resolve to the same address.
In that
lt;[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, February 09, 2002 18:28
Subject: Re: Unicode and Security
> [EMAIL PROTECTED] scripsit:
>
> > Let's keep going. Latin Y, Greek U
At 9:52 PM +0100 2/9/02, Lars Marius Garshol wrote:
>It seems to me that this problem really needs some other fix than the
>merging of all similar-looking characters in all character sets. I
>just can't see that working.
>
That's your suggestion, not mine. I have never proposed merging all
the
[EMAIL PROTECTED] scripsit:
> Let's keep going. Latin Y, Greek Upsilon, Cyrillic U. Wait a minute, that
> Cyrillic U doesn't look *quite* the same. Oh well, it's close enough, right?
And then there's the Cyrillic U with the straight descender, whic
actually does look just like its Latin and
In a message dated 2002-02-09 13:00:59 Pacific Standard Time,
[EMAIL PROTECTED] writes:
> It seems to me that this problem really needs some other fix than the
> merging of all similar-looking characters in all character sets. I
> just can't see that working.
Even the "merging" part wouldn't w
* Elliotte Rusty Harold
|
| Let's say I register microsoft.com, only the fifth letter isn't a
| lower-case Latin o. It's actually a lower case Greek omicron.
I'll grant you that this is possible, perhaps even likely, and that it
may cause problems, but I'm far from convinced that this in any way
://www.macchiato.com
- Original Message -
From: "Philipp Reichmuth" <[EMAIL PROTECTED]>
To: "Asmus Freytag" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, February 08, 2002 09:18
Subject: Re[2]: Unicode and Security
> Hello Asmus and
The recent discussions of this list about Internet domain name
spoofing through substitution of Unicode characters that have similar,
or identical, glyphs is an issue that has recently appeared in print
in a prominent journal:
@String{j-CACM = "Communications of the ACM"}
@Artic
> Are the actual domain names as stored in the DB going to be canonical
> normalized Unicode strings? It seems this would go a long way towards
> preventing spoofing ...
Names will be stored according to a normalization called Nameprep. Read the
Stringprep (general framework) and Nameprep (IDN a
Moreover, the IDN WG documents are in final call, so if you have comments to
make on them, now is the time. Visit http://www.i-d-n.net/ and subscribe to
their mailing list (and read their archives) before doing so.
The documents in last call are:
1. Internationalizing Domain Names in Application
I want to review these documents, but since time is short, maybe someone
can answer my question...
Are the actual domain names as stored in the DB going to be canonical
normalized Unicode strings? It seems this would go a long way towards
preventing spoofing ... no one would be allowed to regi
Moreover, the IDN WG documents are in final call, so if you have comments to
make on them, now is the time. Visit http://www.i-d-n.net/ and sub-scribe
(with a hyphen here so that listar does not interpret my post as a command!)
to their mailing list (and read their archives) before doing so.
The
At 06:18 PM 2/8/02 +0100, Philipp Reichmuth wrote:
>Oh, it is very well possible to design a character set that supports
>all of Latin, Cyrillic and Greek without being susceptible to this
>problem beyond the familiar 1-l-|, 0-O dimension. The main premise is
>to encode glyphs instead of character
>At 15:53 -0500 2002-02-07, Elliotte Rusty Harold wrote:
>>For text files, probably not. But for the domain name system the world
>>very well might. Indeed, maybe it should unless this problem can be dealt
>>with. I suspect it can be dealt with by prohibiting script mixing in
>>domain names (e
Hello Asmus and others,
>>I'm not sure Unicode can be fixed at this point. The flaws may be
>>too deeply embedded. The real solution may involve waiting until
>>companies and people start losing significant amounts of money as a
>>result of the flaws in Unicode, and then throwing it away and
>>
Hi Elliotte and others,
ERH> Does anybody really need mixed Latin and Greek domain names?
This is the wrong approach altogether. If we want to be universal, we
can't exclude cases on a heuristic basis of "no one is probably going
to need this".
BTW People will certainly want mixed Han and Latin
In a message dated 2002-02-08 8:23:22 Pacific Standard Time,
[EMAIL PROTECTED] writes:
>> Does anyone know anything about RACE encoding and its properties?
>
> I wrote an article on IDNS in December of 2000 which discusses the
> approaches which were being debated at that time, including RACE. R
> -Original Message-
> From: Tom Gewecke [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 07, 2002 6:20 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Unicode and Security: Domain Names
>
>
> I note that companies like Verisign already claim to offer
> &q
At 11:30 AM + 2/8/02, Michael Everson wrote:
>Certainly. Some years ago the European Court upheld the right of a
>Belgian man whose father was Belgian and mother was Greek to spell
>his hyphenated last name in both scripts. Why should he not be
>allowed to register a domain based on his ow
At 15:53 -0500 2002-02-07, Elliotte Rusty Harold wrote:
>For text files, probably not. But for the domain name system the
>world very well might. Indeed, maybe it should unless this problem
>can be dealt with. I suspect it can be dealt with by prohibiting
>script mixing in domain names (e.g. ea
At 17:42 -0500 2002-02-07, John Cowan wrote:
>>The only widely-deployed alternative approach I know of is
>>ETSI GSM 03.38 (used in mobile telephony),
>
>A truly bizarre character set: it supports English, French,
>mainland Scandinavian languages, Italian, Spanish with Graves, and
>GREEK SHOUTIN
Elliotte Rusty Harold wrote:
> The problem is that all of these or any other client-based solution you
> come up with is only going to be implemented in some clients. Many, and
> at least initially most, users are not going to have any such
> protections. This needs to be cut off at the protoc
[EMAIL PROTECTED] observed:
> Analogously, people will keep opening executable attachments promising sex,
> regardless of whether the 's', 'e', and 'x' are Latin letters or not.
They're not, of course: U+0455 U+0435 U+0445
-Doug Ewell
Fullerton, California
(address will soon change to dewell
Elliotte Rusty Harold wrote:
> For past protocols like HTTP and URLs, we can plead ignorance and
> lack of imagination. We never knew how bad things were going to get.
> Now we do. We no longer have any excuses for knowingly designing
> systems that are open to spoofing, denial of service, or
At 10:21 AM 2/7/02, Elliotte Rusty Harold wrote:
>I don't like that solution, but not liking it doesn't mean it ain't gonna
>happen as soon as Exxon loses a few billion dollars because somebody
>spoofed them and thereby gained access to their bidding plans for oil leases.
Enron lost a few billi
At 5:12 PM -0800 2/7/02, Barry Caplan wrote:
On what basis can "Elliotte" know that a message purported to be from
"Barry Caplan" actually is from "Barry Caplan", or that there even is
a "Barry Caplan"? The person writing this, who claims to be "Barry
Caplan", has never met anyone named "Ellio
At 4:31 PM -0500 2/7/02, James E. Agenbroad wrote:
> Thursday, February 7, 2002
>Would making the about to be misled respondent type the address of the
>intended person (with a roman 'o', not a greek omicron) and then having
>the system see if they matc
Title: Message
What makes me
think you exist, anyway? ;^)
- rick (or so
I say)
-Original Message-From: Barry Caplan
[mailto:[EMAIL PROTECTED]] Sent: Thursday, 7 February 2002
17:13To: Unicode ListSubject: Re: Unicode and
SecurityAt 04:17 AM 2/8/2002 +0330, Roozbeh Pour
At 04:17 AM 2/8/2002 +0330, Roozbeh Pournader wrote:
On Thu, 7 Feb 2002, Elliotte Rusty
Harold wrote:
> Trust is a human question decided by human beings, not a boolean
answer
> that comes out of a computer algorithm. I can trust that the message
I'm
> replying to came from a person named "Barry C
On Thu, 7 Feb 2002, Elliotte Rusty Harold wrote:
> Trust is a human question decided by human beings, not a boolean answer
> that comes out of a computer algorithm. I can trust that the message I'm
> replying to came from a person named "Barry Caplan" even if I have no
> proof of that whatsoever.
At 01:21 PM 2/7/02 -0500, Elliotte Rusty Harold wrote:
>I'm not sure Unicode can be fixed at this point. The flaws may be too
>deeply embedded. The real solution may involve waiting until companies and
>people start losing significant amounts of money as a result of the flaws
>in Unicode, and
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Tom Gewecke
Sent: Thursday, February 07, 2002 3:20 PM
To: [EMAIL PROTECTED]
Subject: Re: Unicode and Security: Domain Names
I note that companies like Verisign already claim to offer "domain names"
in dozens of languages and scrip
I note that companies like Verisign already claim to offer "domain names"
in dozens of languages and scripts. Apparently these are converted by
something called RACE encoding to ASCII for actual use on the internet.
Does anyone know anything about RACE encoding and its properties?
Kenneth Whistler wrote:
> The only widely-deployed alternative approach I know of is
> ETSI GSM 03.38 (used in mobile telephony),
A truly bizarre character set: it supports English, French,
mainland Scandinavian languages, Italian, Spanish with Graves, and
GREEK SHOUTING.
--
John Cowan <[EM
At 02:42 PM 2/7/2002 -0500, Elliotte Rusty Harold wrote:
>At 11:34 AM -0800 2/7/02, Asmus Freytag wrote:
>
>>But, as the discussion shows, spoofing on the word level (.com
>>for .gov) is alive and well, and supported by any character set
>>whatsoever. For that reason, it seems to promise little ga
I think this is probably beginning to get off-topic, but
At 12:45 2/7/2002, Elliotte Rusty Harold wrote:
>>1. The software industry has already devised mechanisms to protect
>>against e-mail forgery, e.g. private-public key encryption.
>
>And nobody uses them because they're too complex.
I thi
At 11:42 2/7/2002, Elliotte Rusty Harold wrote:
>Burglary at the broken window level is alive and well. Therefore there's
>little point to putting locks on doors.
>
>I hope the fallacy of the above is obvious, but when translated into the
>computer security domain it's all too common a rational
Thursday, February 7, 2002
Would making the about to be misled respondent type the address of the
intended person (with a roman 'o', not a greek omicron) and then having
the system see if they match detect and thwart such tricks? The
respondent is alre
Elliotte Rusty Harold wrote:
> Interesting tidbit: app1e.com (not APPLE.COM but APP1E.COM) is in
> fact already registered. This attack may not be as theoretical as I
> initially thought.
And a0l.com. (It even has a website: www.a0l.com.) [Which, incidentally,
induces a security hazard, by att
At 12:28 PM -0800 2/7/02, John Hudson wrote:
>1. The software industry has already devised mechanisms to protect
>against e-mail forgery, e.g. private-public key encryption.
>
And nobody uses them because they're too complex.
>2. What you describe is criminal fraud and there are laws to protec
At 10:21 2/7/2002, Elliotte Rusty Harold wrote:
>I'm not sure Unicode can be fixed at this point. The flaws may be too
>deeply embedded.
What flaws? The fact that glyphs in different scripts may be similar or
identical in some typefaces, and misrepresentation is possible because
Unicode separ
On Thu, Feb 07, 2002 at 01:21:29PM -0500, Elliotte Rusty Harold wrote:
> I'm not sure Unicode can be fixed at this point. The flaws may be too
> deeply embedded. The real solution may involve waiting until
> companies and people start losing significant amounts of money as a
> result of the fla
At 11:34 AM -0800 2/7/02, Asmus Freytag wrote:
>But, as the discussion shows, spoofing on the word level (.com
>for .gov) is alive and well, and supported by any character set
>whatsoever. For that reason, it seems to promise little gain to
>try to chase the holy grail of a multilingual character
At 10:16 AM -0800 2/7/02, Barry Caplan wrote:
>This is precisely the problem digital signing is meant to solve.
>Signing means that Alice has encrypted the message with her private
>key before sending to Bob. Bob then unencrypts the message using
>Alice's public key. If the message does not un
>>At 12:22 PM 2/7/2002 -0500, Elliotte Rusty Harold wrote:
>>In other words, it's not our fault. Blame the client software. Sounds
>>distressingly like the Unicode Consortium's approach to these issues.
>>Interestingly, my attack works with a single character representation
>>(Unicode).
Subst
At 11:53 AM 2/7/02 -0600, David Starner wrote:
>a superset of a number of preexisting character sets, so that it was
>possible for those users to move to Unicode without problems. Since
>important preexisting character sets seperated Greek, Cyrillic and Latin
>scripts, Unicode had to. Had Unicode
At 12:22 -0500 2002-02-07, Elliotte Rusty Harold wrote:
>
>For the sake of argument, let's call the company they work at
>Microsoft, but this attack could hit most companies with a .com
>address. Let's say I register microsoft.com, only the fifth letter
>isn't a lower-case Latin o. It's actuall
> I'm not sure Unicode can be fixed at this point. The flaws may be too
> deeply embedded. The real solution may involve waiting until
> companies and people start losing significant amounts of money as a
> result of the flaws in Unicode, and then throwing it away and
> replacing it with somet
>On Thu, Feb 07, 2002 at 10:34:20AM -0500, Elliotte Rusty Harold wrote:
>Unicode is a character encoding, not a glyph encoding. Furthermore, it's
>a superset of a number of preexisting character sets, so that it was
>possible for those users to move to Unicode without problems. Since
>important
On Thu, Feb 07, 2002 at 12:22:18PM -0500, Elliotte Rusty Harold wrote:
> Interestingly, my attack works with a single character representation
> (Unicode). It is not dependent on multiple charsets.
It also works with EUC-JP (and other Japanese charsets), all 8-bit
Russian representations, all 8
At 12:22 PM 2/7/2002 -0500, Elliotte Rusty Harold wrote:
>I've been thinking about security issues in Unicode, and I've come up with
>one that's quite scary and worse than any I've heard before. It uses only
>plaintext, no fonts involved, doesn't require buggy software, and works
>over e-mail i
On Thu, Feb 07, 2002 at 10:34:20AM -0500, Elliotte Rusty Harold wrote:
> Security and spoofing are very real issues that were never, as far as
> I know, even considered in the design of Unicode.
Unicode is a character encoding, not a glyph encoding. Furthermore, it's
a superset of a number of p
I've been thinking about security issues in Unicode, and I've come up
with one that's quite scary and worse than any I've heard before. It
uses only plaintext, no fonts involved, doesn't require buggy
software, and works over e-mail instead of the Web. All it requires
added to the existing inf
* Elliotte Rusty Harold
|
| Security and spoofing are very real issues that were never, as far
| as I know, even considered in the design of Unicode. It's unclear
| whether or not the problem can be fixed now. The Unicode community
| has been in serious denial about this for some time. That othe
At 11:54 AM -0700 2/6/02, John H. Jenkins wrote:
>Right, but right now is that people are typing things like www.whitehouse.
>com instead of www.whitehouse.gov (or, for that matter,
>www.unicode.com). How likely is it that someone will accidentally
>type www.s?mple.com instead of www.sample.c
John Hudson wrote:
> I can make an OpenType font for that uses contextual substitution to
> replace the phrase 'The licensee also agrees to pay the type designer
> $10,000 every time he uses the lowercase e' with a series of invisible
> non-spacing glyphs. Of course, the backing store will contai
Gaspar Sinai wrote:
> I am thinking about electronically signed Unicode text documents
> that are rendered correctly or believeed to be rendered correctly,
> still they look different, seem to contain additional or do not
> seem to contain some text when viewed with different viewers due
> to som
I (Marco Cimarosti) wrote:
> Even the John Cowan's example becomes perfectly unambiguous,
> if the bidi embedding levels are retained:
>
> Case 1:
> From visual order: the Arabs = BARA-LA
> And bidi levels:222
> Get logical order: the Arabs = A
Otto Stolz wrote:
> Gaspar Sinai wrote:
> > Just because some companies who have influence on Unicode
> > Consortium use some algorithm, like backing store and re-mapping,
> > it does not mean that this is the only way. [...]
> > Yudit does convert the input to view order and back.
>
> Now, this
At 11:54 AM 2/6/2002 -0700, John H. Jenkins wrote:
>The original focus was on digital signatures, and I still don't get the
>objection. Because I don't know *precisely* what bytes Microsoft Word or
>Adobe Acrobat use, do I refuse to sign documents they create? Is that the
>idea? I mean, good
On Wed, Feb 06, 2002 at 07:12:19PM +0100, Lars Kristan wrote:
> Well, I was tempted to join the discussion for a while now, but one of the
> things that stopped me was that I didn't quite understand why it was so
> focused on the bidi stuff.
Because it can have a dramatic effect, whereas changing
> Well, nothing wrong with Unicode of course. Just means that there will
> need
> to be an option in your browser to reject any site without a digital
> certificate, and perhaps it will need to be turned on by default. So,
Nothing prevents sites running frauds to get a certificate matching their
---
> From: John Hudson [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 06, 2002 01:54
> To: Unicode List
> Subject: Re: Unicode and Security
>
>
> At 09:39 2/5/2002, John H. Jenkins wrote:
>
> >Y'know, I must confess to not following this thread at all.
&g
On Wednesday, February 6, 2002, at 11:12 AM, Lars Kristan wrote:
> Maybe digitally signed messages and bank accounts are not that good of an
> example, since people would be more careful there. Another case where this
> may get exploited will be domain names, once Unicode is allowed there.
> Whi
At 09:39 2/5/2002, John H. Jenkins wrote:
>Y'know, I must confess to not following this thread at all. Yes, it is
>impossible to tell from the glyphs on the screen what sequence of Unicode
>characters was used to generate them. Just *how*, exactly, is this a
>security problem?
I was wonder
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I don't see why pick on bidi. Unicode rendering is not reversible in
Latin too - from the rendering you cannot and should not be able to
tell whether a character was decomposed or precomposed.
Looking at some text, you would not be able to tell whe
Y'know, I must confess to not following this thread at all. Yes, it is
impossible to tell from the glyphs on the screen what sequence of Unicode
characters was used to generate them. Just *how*, exactly, is this a
security problem?
==
John H. Jenkins
[EMAIL PROTECTED]
[EMAIL PROTECT
Gaspar Sinai has a valid point insofar as there is a possible
ambiguity in bidi text. However, he is absolutely wrong in
blaming the Unicode bidi algorithm for this problem.
Gaspar Sinai had written:
> change products or to change the standard and use
> a reversable bidi.
and later:
> Hold on
.macchiato.com
- Original Message -
From:
Moe Elzubeir
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, February 04, 2002
09:34
Subject: Re: Unicode and Security
Hello,
Before you call this thread a waste of time, and out of curiosity.. what
At 13:27 +0900 2002-02-05, Gaspar Sinai wrote:
>Just because some companies who have influence on Unicode
>Consortium use some algorithm, like backing store and re-mapping,
>it does not mean that this is the only way. And I don't even
>think they do in cases when character conversion is necess
On Tue, Feb 05, 2002 at 01:27:49PM +0900, Gaspar Sinai wrote:
> Talking about characters: I think bi-di should not be in
> Unicode Standard because it is not a character.
> It is an algorithm.
Why would that fix the problem? Then everyone would just choose their
own algorithim, and instead of a
From: "Gaspar Sinai" <[EMAIL PROTECTED]>
> If the standard wants me to confuse the user, I would
> rather dump the standard than comply.
Well, don't let the door hit you in the a** on the way out?
Te users will be less confused than you realize -- only people who walk in
with agendas see the fl
On Mon, 4 Feb 2002, Mark Leisher wrote:
[...cut some stuff to save room...]
> I don't understand your reasoning. Applying the bidi algorithm or a
> higher-level protocol does not change the backing store. Applying the bidi
> algorithm is essentially a one-way transformation, but the original
>
Gaspar wrote:
> > The BIDI algorithm is not reversible, and could not be made reversible
> > without eliminating features that are important to the bidi community.
> > This was considered at the time the bidi algorithm was developed.
>
> Hold on there! You admit that unicode alrgorithm is *reall
>No Real World document is going to make sense read both ways.
>It will make sense one way, thus: "BARA-LA AW MALSI-AL mean
>the Arabs and Islam respectively". The other order will make
>no sense at all.
Good style might say to put in a line break so you know what's going on.
I don't know if th
>> This thread is a waste of time.
Gaspar> If unicode bi-di algorithm was reversable none of this would
Gaspar> happen. Software developers, who are flash and blood people, would
Gaspar> be able to do a clean room implementation of the algorithm and the
Gaspar> reverse of it.
Gaspar Sinai scripsit:
> Hold on there! You admit that unicode alrgorithm is *really*
> not reversable? I was just bluffing because I just saw that their
> is no reverse algorithm published in the standard!
It can't be reversable, as my little English = CIBARA demonstration
showed. The only way
On Mon, 4 Feb 2002, Mark Davis wrote:
> > >Outlook Express, at least the version you are using, has a bug;
>
> This is not a bug; it is specifically cited in the Bidirectional
> Conformance section of Chapter 3 as one of the ways a higher-level
> protocol can override the BIDI algorithm. I otherw
Hello,
Before you call this thread a waste of time, and out of curiosity.. what
were the considerations put forth which determined the way the
bidi
algorithm is (uax#9). Ie. what were the pros and cons of a reversible
bidi?
Also, who make up the 'bidi community'? The users or the develo
Gaspar Sinai...
Pursuing this kind of trivia hunt for "bugs" in an environment employing
Unicode is not any different than prusuing the same kind of bugs in any
other environment.
It is within the purview of the security community to find such bugs
before hackers find them.
But those bugs
AIL PROTECTED]>
To: "John Cowan" <[EMAIL PROTECTED]>
Cc: "Asmus Freytag" <[EMAIL PROTECTED]>; "Unicode List"
<[EMAIL PROTECTED]>
Sent: Monday, February 04, 2002 05:34
Subject: Re: Unicode and Security
> On Mon, 4 Feb 2002, John Cowan wrote:
> &g
On Mon, 4 Feb 2002, John Cowan wrote:
> Gaspar Sinai scripsit:
> > Now the exact same file is viewed with two different viewers
> > at the bottom of this page:
> >
> > http://www.yudit.org/security/
>
> Outlook Express, at least the version you are using, has a bug;
> it is failing to set the o
On 04-02-2002 11:15:25 John Cowan wrote:
>Outlook Express, at least the version you are using, has a bug;
>it is failing to set the overall directionality to RTL even
>though the first character is strongly RTL. The fact that
>some implementations are buggy is hardly an argument against
>either
Gaspar Sinai scripsit:
> So common language is screenshots... Ok. I updated the page.
Thank you.
> Now the exact same file is viewed with two different viewers
> at the bottom of this page:
>
> http://www.yudit.org/security/
Outlook Express, at least the version you are using, has a bug;
i
On Mon, Feb 04, 2002 at 02:25:05PM +0900, Gaspar Sinai wrote:
> And the bottom line is: I don't really care if
> Unicode will admit that this is a problem. If
> my reasoning (not my screenshots) convince
> *some* people not to sign electronically unicode
> text I think I did those guys good - and
On Sun, 3 Feb 2002, John Cowan wrote:
> Gaspar Sinai scripsit:
>
> > So it is perfectly ok? I can make a non-ebedded example too.
> > I do not have time to make childish examples and screenshots
> > to get through my point. I have a job to do and text processing
> > is just my hobby.
>
> Mine t
Gaspar Sinai scripsit:
> So it is perfectly ok? I can make a non-ebedded example too.
> I do not have time to make childish examples and screenshots
> to get through my point. I have a job to do and text processing
> is just my hobby.
Mine too, but it's difficult to understand the merits of an
Gaspar Sinai scripsit:
> The following page contains my view of Unicode
> BIDI algorithm (with screenshots).
>
> http://www.yudit.org/security/
Oooo-kay. This is not a Unicode problem per se: it is about
embedded text vs. text that is not embedded. The Yudit and
IE versions are displaying a t
On Sun, 3 Feb 2002, John Cowan wrote:
> Gaspar Sinai scripsit:
>
> > The following page contains my view of Unicode
> > BIDI algorithm (with screenshots).
> >
> > http://www.yudit.org/security/
>
> Oooo-kay. This is not a Unicode problem per se: it is about
> embedded text vs. text that is not e
On Sun, 3 Feb 2002, Asmus Freytag wrote:
> The bidi algorithm is anything but vague. Any
> implementation can be rigorously tested against two
> reference implementations, to ensure fully compatible
> implementation.
Sorry buys to be this short this time but
I kicked life to my Windows laptop and
At 02:15 PM 2/3/2002 +0900, you wrote:
On Sat, 2 Feb 2002, David Starner
wrote:
[...several lines cut to save room...]
> I think I'm missing your perspective. To me, these are minor quirks.
Why
> do you see them as huge problems?
I am thinking about electronically signed Unicode text documents
tha
At 11:41 AM 2/3/02 +0900, Gaspar Sinai wrote:
>Unicode and Security
>
>I would like to start a series of discussion about
>the security aspects of Unicode.
At the outset, before we can have a discussion, we
would need to define what the meaning of 'security'
is.
Some see
On Sun, Feb 03, 2002 at 02:15:51PM +0900, Gaspar Sinai wrote:
> I am thinking about electronically signed Unicode text documents
> that are rendered correctly or believeed to be rendered correctly,
> still they look different, seem to contain additional or do not
> seem to contain some text when v
On Sat, 2 Feb 2002, David Starner wrote:
[...several lines cut to save room...]
> I think I'm missing your perspective. To me, these are minor quirks. Why
> do you see them as huge problems?
I am thinking about electronically signed Unicode text documents
that are rendered correctly or believeed
On Sun, Feb 03, 2002 at 11:41:11AM +0900, Gaspar Sinai wrote:
> I had the following problems where unicode could not
> be used because of security issues. In all cases
> the signer of a document can be lured into
> believing that the wording of the document he/she
> is about to sign is different.
A while back there was some discussion of security. You could start by
checking the list archies for those threads.
> Is Unicode secure? What character standards can be
> considered secure?
What does "security" really mean for a character encoding?
In my opinion, security is related to bugs i
Unicode and Security
I would like to start a series of discussion about
the security aspects of Unicode.
I would also like to know your opinion about the
need to create another or an 'intermediate' standard.
I have a lot of issues in my mind - Security is
the top one.
With the intro
99 matches
Mail list logo
