-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/27/12 7:50 AM, Takahiro Nemoto wrote:
> 
> On 2012/07/19, at 0:12, Peter Saint-Andre wrote:
> 
>> On 7/18/12 4:24 AM, Takahiro Nemoto wrote:
>>> 
>>> On 2012/07/17, at 6:19, Peter Saint-Andre wrote:
>>> 
>>>> On 7/5/12 10:14 PM, Takahiro Nemoto wrote:

<snip/>

>>>> As to special mappings like "Map to SPACE" and "Map to
>>>> Nothing", it seems to me that in a post-stringprep system we
>>>> can handle those by more carefully defining the string
>>>> classes.
>>> 
>>> Sorry, but I don't get it. What does a post-stringprep system 
>>> mean?
>> 
>> A system that uses PRECIS.
>> 
>> Because PRECIS uses an inclusion model (only characters / code
>> points / codepoint classes that are explicitly allowed can be
>> included in a conformant string), I don't see any reason to have
>> these "mapped to space" or "mapped to nothing" rules in
>> PRECIS-based systems. For example, just allow space (U+0020) but
>> not other space characters.
> 
> "mapped to nothing" may generate zero-length strings and it may 
> cause vulnerabilities for applications.

That is a very good point!

> Therefore, I think I just want to give application developers a
> heads-up about this in the protocol or the security
> sonsiderations. But, I don't necessarily want to define
> application-level restrictions in the protocol.

I think that is a reasonable approach. So we need to write a sentence
or two of advice to designers of application protocols that use PRECIS.

> So I would like to hear more member's comments about this.

We don't have members, we have participants. :)

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAYchAACgkQNL8k5A2w/vwUJQCgpfxk6ZbXquOt5pInKqf6nFbq
+p8AoJ6qODNj9rsJSkS2CfwlIg2s7vMB
=8wad
-----END PGP SIGNATURE-----
_______________________________________________
precis mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/precis

Reply via email to