> This is a cut out and keep e-mail that I shall still be referring to in > 10 years time because it summarises so beautifully the problems. :-) Thanks, Tom; glad to help. > Two thoughts. One is that your e-mail displayed superbly (the only > glitch being that my MUA did not differentiate the Cyrillic character) > so I looked at the encoding > > Content-Type: text/plain; charset="UTF-8" > Content-Transfer-Encoding: quoted-printable > > so that is something we got brilliantly right a long time ago. Indeed; when it's used properly -- which, as you note, it isn't always, we do have the representation mostly taken care of in email and web. Though note that bi-directional issues still come up all the time, and that's a nasty one. > My second thought is that much has been done in the IETF on security in > recent times but have we done enough to at least publicise, if not > eliminate, the scope for evil actors to exploit confusable and suchlike > characters by saying that they SHOULD NOT be used anywhere where it > matters for security - people SHOULD NOT be handed the rope with which > to hang themselves on a plate:-) - I suspect not. Security is a biggie, especially when we're looking at security interoperability -- when different systems, or different parts of the same system, answer some of these questions differently, we have a problem. This showed up recently in a way that didn't even have I18N involved: mix one email system that ignores "." in mailbox names with one that doesn't (for example, Gmail thinks that "barryleiba" and "barry.leiba" refer to the same mailbox, and Yahoo! thinks they're different mailboxes) and you have a recipe for a security exploit. I18N issues can multiply that exposure many times. And to be clear about my purpose in posting what I did: I do not want answers in this forum to the questions I raised: the point was not to do I18N design work on this list. I brought up the questions simply to show how difficult the problem can be, and how there are many aspects to it that even experts may miss. Let's not get wrapped up in showing that any particular issue has solutions. Rather, let's understand how difficult it is to "solve the problem" in general, and how hard it is to find people with enough breadth of experience to work on the big-picture issues effectively. Barry
