[cabfpub] Implementation of UTR-36 confusable text security considerations.
Rick Andrews
Rick_Andrews at symantec.com
Fri Aug 24 23:29:17 UTC 2012
Brad,
This helps, somewhat, but falls short in that it doesn't provide code for all the checks in Bruce's proposal document. And although the class contains a method to check if two strings are confusable, we're left wondering how we are to use that method. One of the strings will be a U-label in the FQDN that the subscriber is enrolling with, but what's the other string? Would we have to make that call repeatedly to check the U-label against the Alexa One Million? The domain names of all certs in our db?
-Rick
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Hill, Brad
Sent: Thursday, August 23, 2012 11:30 AM
To: public at cabforum.org
Subject: [cabfpub] Implementation of UTR-36 confusable text security considerations.
In response to questions on today's call about implementations about the confusable Unicode restrictions suggested for inclusion in BR 1.1, I can suggest the International Components for Unicode library:
http://site.icu-project.org/
And, specifically, the SpoofChecker class:
http://icu-project.org/apiref/icu4j/com/ibm/icu/text/SpoofChecker.html
And uspoof.h
http://icu-project.org/apiref/icu4c/uspoof_8h.html
This doesn't forbid the Left To Right Override character that I can tell from simple examination, but that's an easy check to add with a regex or character search.
Brad Hill
Ecosystem Security
PayPal Information Risk Management
cell: 206.245.7844
skype/twitter: hillbrad
email: bhill at paypal-inc.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120824/4f465c52/attachment-0004.html>
More information about the Public
mailing list