[cabfpub] Implementation of UTR-36 confusable text security considerations.

Rick Andrews Rick_Andrews at symantec.com
Fri Aug 24 23:29:17 UTC 2012


Brad,

This helps, somewhat, but falls short in that it doesn't provide code for all the checks in Bruce's proposal document. And although the class contains a method to check if two strings are confusable, we're left wondering how we are to use that method. One of the strings will be a U-label in the FQDN that the subscriber is enrolling with, but what's the other string? Would we have to make that call repeatedly to check the U-label against the Alexa One Million? The domain names of all certs in our db?

-Rick

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Hill, Brad
Sent: Thursday, August 23, 2012 11:30 AM
To: public at cabforum.org
Subject: [cabfpub] Implementation of UTR-36 confusable text security considerations.

In response to questions on today's call about implementations about the confusable Unicode restrictions suggested for inclusion in BR 1.1, I can suggest the International Components for Unicode library:

http://site.icu-project.org/

And, specifically, the SpoofChecker class:

http://icu-project.org/apiref/icu4j/com/ibm/icu/text/SpoofChecker.html

And uspoof.h

http://icu-project.org/apiref/icu4c/uspoof_8h.html

This doesn't forbid the Left To Right Override character that I can tell from simple examination, but that's an easy check to add with a regex or character search.

Brad Hill
Ecosystem Security
PayPal Information Risk Management
cell: 206.245.7844
skype/twitter: hillbrad
email: bhill at paypal-inc.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120824/4f465c52/attachment-0004.html>


More information about the Public mailing list