[UA-discuss] OpenSSL, was Where should IDN translation happen?
John Levine
john.levine at standcore.com
Wed Nov 14 15:34:11 UTC 2018
On Wed, 14 Nov 2018, Michael Casadevall wrote:
>> It's actually worse than that. Python's built-in IDNA support is
>> IDNA2003 which, as we saw in a recent thread, can give some fairly
>> wrong results. There is a correct idna library which is a drop-in
>> replacement but I doubt many programmers know the difference.
> Relevant link is here: https://bugs.python.org/issue17305
>
> I spent some time looking through the bug reports, and Python's internal
> implementation, but it looks like they want to keep IDNA2003 support,
> and implement IDNA2008 as 'utf48' as an encoding. I think it can be
> argued on security grounds that the default 'idna' needs to change once
> support is added, but 2003 support can be retained if necessary.
I presume you mean uts46, which is Unicode's unfortunate attempt to put
bandaids on the difference between idna2003 and idna2008. The key point
is that idna2003 is obsolete, and the stuff that 2008 removed was removed
for good reasons. For example, 2003 turned German ß into "ss" which
turned out to be a bad idea, since German people want to use ß in their
IDNs. I'd think that the right way forward is to make the idna codec do
idna2008 with a flag to turn on 2003 mode if you have some data that
depends on 2003 rules.
For the EAI OpenSSL stuff, I asked Russ Housley if he knows of work to
update crypto libraries to support 8398 and 8399.
As to what TLS software does with EAI addresses now, I expect for the most
part it just doesn't work. The RFCs to support it are new, and for most
people there's little incentive to do anything about it.
Regards,
John Levine, john.levine at standcore.com
Standcore LLC
More information about the UA-discuss
mailing list