[UA-discuss] Where should IDN translation happen?

Dmitry Belyavsky beldmit at gmail.com
Wed Nov 14 08:16:13 UTC 2018 

Dear Michael,
On Tue, Nov 13, 2018 at 10:24 PM Michael Casadevall <michael at casadevall.pro>
wrote:

> So, here is a question for the list: Where in the stack should IDN/EAI
> translation happen? Should it happen in the user application, or lower
> in the stack such as the core libraries that handle things like TLS
> connections?
>
...

>
> This leads library makers and applications to handle IDNs manually,
> which in the case of Python, if they made a mistake can lead to the
> above error, namely blowing up Python. Now, in practice, OpenSSL not
> directly supporting IDNs seems to have relatively little effect on its
> own. After taking a very deep dive through the RFCs, it appears that in
> all relevant places, everything relating to web TLS certificates takes
> EAI5Address encoding and thus requires punycode representation. However,
> as I’ve just shown, there are obviously places where things have fallen
> through the cracks and I think it warrants a deeper investigation.
>

I think that error in IDN processing in OpenSSL itself can cause a lot of
bad consequences being worse than errors in any application using OpenSSL.
So I understand the position of OpenSSL Team when they do not want to
implement such support here.


> The thing is though, and just to reiterate the question, just where in
> the stack should IDN translation happen?
>
> In the above case, had OpenSSL supported IDNs directly, it would have
> prevented this bug in the first place. That being said, since TLS
> essentially only uses A-labels as far as I can tell, I can’t necessarily
> say it’s wrong that OpenSSL doesn’t support IDNs.  I think, though, this
> is an area which, in general, that needs more attention, especially if I
> can break a popular programming language with a trivial example.
>
> Thoughts and comments welcome,
> Michael
>
>
> * - there is one special case for wildcards
>
In my (rather limited) practice I usually use A-labels for internal
representation and
U-labels (or both) for external. Script languages, such as Python, Perl,
PHP etc
usually provide wrappers for IDN converters so it's much simpler to do this
conversion outside in applications.

-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20181114/004e018f/attachment.html>

More information about the UA-discuss mailing list