Christian Heimes writes: > tl;dr > This mail is about internationalized domain names and TLS/SSL. It > doesn't concern you if you live in ASCII-land. Me and a couple of other > developers like to change the ssl module in a backwards-incompatible way > to fix IDN support for TLS/SSL.
Yes please! Seriously, we *need* to fix the bug for German, and I would presume other languages that have used pure-ASCII transcodings, which I bet are in very common use in domain names. Do you have an issue # for this offhand? If not I'll just go dig it out for myself. > In a perfect world, it would be very simple. We'd only had one IDNA > standard. However there are multiple standards that are incompatible > with each other. You forgot the obligatory XKCD: https://www.xkcd.com/927. ;-) > The German TLD .de demands IDNA-2008 with UTS#46 > compatibility mapping. The hostname 'www.straße.de' maps to > 'www.xn--strae-oqa.de'. However in the older IDNA 2003 standard, > 'www.straße.de' maps to 'www.strasse.de', but 'strasse.de' is a totally > different domain! That's a mess! I bet the domain squatters have had a field day. > Questions: > - Is everybody OK with breaking backwards compatibility? The risk is > small. ASCII-only domains are not affected That's not quite true, as your German example shows. In some Oriental renderings it is impossible to distinguish halfwidth digits from full-width ones as the same glyphs are used. (This occasionally happens with other ASCII characters, but users are more fussy about digits lining up.) That is, while technically ASCII-only domain names are not affected, users of ASCII-only domain names are potentially vulnerable to confusable names when IDNA is introduced. (Hopefully the Asian registrars are as woke as the German ones! But you could still register a .com containing full-width digits or letters.) > and IDNA users are broken anyway. Agree with your analysis, except for the fine point above. Japanese don't use IDNA much yet (except like the WIDE folks, who know what they're doing), so I have little experience with potential breakage. On the other hand that suggests that transitioning quickly will be helpful. > - Should I only fix 3.7 or should we consider a backport to 3.6, too? 3.7 has a *lot* of new stuff in it. I suspect a lot of people are going to take their time moving production sites to it, so +1 on a backport. 3.5 too, if it's not too hard. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
