On Sat, 2 Jun 2018, Brian E Carpenter wrote:
If a dark art is one that involves combinatorial degrees of complexity mixed with human perception, judgment and emotion, then I fear that I18N *is* a dark art. We can perhaps manage such complexity by limiting the scope of what we try to do in our protocols, but I for one would very much appreciate having an I18N directorate reviewing everything.
Thanks, that was what I was trying to get at. It would be great if more people learned about I18n issues, but I worry about expertise at the level of security experts telling people to memorize all their passwords and change them every month.
"Confusables", different characters that look exactly or approximately the same is a good example. I used to think that one could make sets of confusable characters and avoid security problems by disallowing strings that differed only in confusables. Unfortunately, what is confusable is highly context dependent. For example, an Arabic digit 5 looks a lot like a lower case letter o, so depending on who and where you are you might think it looks like o or 0 or you might think it looks like 5 or you might think it looks like both. I didn't realize that until I talked to native Arabic speakers and tried to read speed limit signs in Abu Dhabi. Don't get me started on composable emoji and skin tones.
I'm not saying it's hopeless, but we need to be careful assuming that some knowledge always leads to better analyses than none. Remember all those passwords they force you to change every month.
Regards, John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
