On Sun, Sep 17, 2017, at 19:02, Peter Saint-Andre wrote: > First, the Nickname profile is based on the Freeform Class. As we know, > this in itself is a dangerous move. If you want safety and security, you > really really really need to use a profile based on the IdentifierClass. > We have emphasized this many times and it is clearly expressed in the > various PRECIS specs. If we need to add more warning text to 7700bis, > I'd be happy to do that.
I think this is clear enough in the current text. The fact that comparisons may fail when I don't expect them to (and that the solution is to require multiple expensive iterations) seems like a more fundamental class of problem to me though, and not one that can be solved by better documenting it. > So I think the scope and implications of the issue you > have raised are much more limited than those we can directly derive from > the Spotify story. I agree that it's less important with the Nickname profile, an issue with a profile that was used as an authentication identifier would be much worse. The Spotify example was intended more to say "we have seen this in the real world, it's not a hypothetical problem" than it was to say "this exact thing might happen again". > Your proposal to scrap NFKC in favor of NFC would actually make things > worse here, because matching would be more lax. As a result, users would > be more confused and attackers could more easily impersonate legitimate > users. Is that what we want? I was under the impression that NFKC was the problem, but that argument makes a lot of sense. > But I'd argue that modifying the normalization rule of the > Nickname profile doesn't really solve the problem, and actually makes it > worse. I think you're right. My apologies if I misunderstood the problem and thought that the solution was to scrap NFKC. There may be other solutions, or a depeer underlying problem (the order of operations of PRECIS itself was brought up, I think?). I don't understand the problem well enough to propose a specific solution, I just can't shake the feeling that having a single profile be non-idempotent will lead to a serious issue that we're not considering. Identifiers created with the nickname profile may not be used for authentication or authorization, but they will be seen by the users and need to be compared in the context of eg. chat rosters, multi-user chat participant lists, etc. and developers, in general, won't read documentation carefully and are prone to taking the path of least resistance; we need to make sure the path of least resistance is secure and doesn't greatly impact performance (another pressure that will push people away from doing the right thing). —Sam _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
