One way is to incorporate the PR-29 fix, declare the earlier attempt as buggy, and re-cycle at PROPOSED. I suspect you prefer that way? I am hesitant about that approach, because we have already deployed the old RFC and it is not clear what problems there will be in mixing the old and the new code. Both Kerberos and SASL appears to be going to use the old StringPrep as well, so we will be seeing security critical infrastructure based on the old interpretation.
Even if Stringprep is not updated to address the PRI #29 problem, we must at least let the other Stringprep profile authors know about the situation, so that they can make their own decisions for their areas. The IDN mailing list seems to be dedicated to IDNA issues (including Nameprep). Is there a Stringprep mailing list?
http://www.unicode.org/review/pr-29.html http://www.imc.org/idn/mail-archive/maillist.html
The IANA Stringprep registry has not been updated to point to the new SASLprep RFC:
http://www.iana.org/assignments/stringprep-profiles ftp://ftp.rfc-editor.org/in-notes/rfc4013.txt
I am Cc'ing the author of RFC 4013 (Kurt Zeilenga) on this email.
I am also Cc'ing the author of the expired Internet Draft of the Kerberos profile of Stringprep (Jeffrey Altman). Kurt and Jeffrey may wish to take a look at the various things I've included URIs for in this email.
http://josefsson.org/cgi-bin/rfcmarkup?url=http://josefsson.org/cgi-bin/viewcvs.cgi/*checkout*/libidn/doc/specifications/draft-ietf-krb-wg-utf8-profile-01.txt
Erik
