You didn't seem to respond to the comments of your page on the earlier thread. If you're going to take such an extreme stance as "Unicode text is inherently unsecure", you need to defend it. So, my own impressions:
On Fri, Feb 15, 2002 at 10:16:39AM +0900, Gaspar Sinai wrote: > I mostly recovered my shock :) Most people pointed out that the > real juice on my security page was the second example. > > http://www.yudit.org/security/ > "At yudit.org, we maintain the view that Unicode text is inherently > unsecure, until the current bi-directional algorithm defined by the > Unicode Consortium is changed to be reversable. There should be an > algorithm defined that converts logical order to view order, and there > should be a separate algorithm defined that converts view order to > logical order. If such algorith-pair existed we could also run sanity > check on our rendering software. > > At yudit.org we will not sign digitally a Unicode document while this > possiblity exists." Mind elaborating on this logic? Since there's an off chance that text might be seen incorrectly in a few languages (and if this happens, there's an off chance in a few extremely contrived cases that it might make a sentence with a different meaning), you'll never sign messages in any language at any time? Signing text doesn't say "you will interpret this message as I intend", it just makes sure it doesn't get tampered with in transit and verifies who the message is from. It's not the signature's job to make sure it's rendered, read or interpreted correctly. Assuming that this *is* a real security problem, not signing messages doesn't help anything; it just reduces security further. I can hardly see what this has to do with signatures at all. Also, regardless of the severity of this problem, Unicode text is not *inherently* insecure; that implies it's fundamentally flawed and can't be fixed. I don't think that's what you mean. The rest of the page is useful as an example of the problem; whether or not it's a serious issue is debatable, but it's clearly something people should know about. -- Glenn Maynard -- Linux-UTF8: i18n of Linux on all levels Archive: http://mail.nl.linux.org/linux-utf8/
