Re: [EAI] Add requirement for punycode conversions in downgrade

To: Harald Tveit Alvestrand <harald at alvestrand.no>, Ernie Dainow <edainow at ca.afilias.info>
Subject: Re: [EAI] Add requirement for punycode conversions in downgrade
From: John C Klensin <klensin at jck.com>
Date: Tue, 18 Mar 2008 12:25:05 -0400
Cc: ima at ietf.org
Delivered-to: ietfarch-ima-web-archive at core3.amsl.com
Delivered-to: ima at core3.amsl.com
In-reply-to: <47DF1C14.7080708 at alvestrand.no>
List-archive: <http://www.ietf.org/pipermail/ima>
List-help: <mailto:ima-request@ietf.org?subject=help>
List-id: "EAI \(Email Address Internationalization\)" <ima.ietf.org>
List-post: <mailto:ima@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ima>, <mailto:ima-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ima>, <mailto:ima-request@ietf.org?subject=unsubscribe>
References: <47DE785E.3080304 at ca.afilias.info> <47DF1C14.7080708 at alvestrand.no>
Sender: ima-bounces at ietf.org

--On Tuesday, 18 March, 2008 02:34 +0100 Harald Tveit Alvestrand
<harald at alvestrand.no> wrote:

>> 3. Downgrade should do a punycode conversion instead of
>> failing because  of no Alternate Address.
>> 
>> Since attempting delivery is almost always better than
>> failing a  delivery, I would support adding a requirement to
>> do the punycode  conversion for these cases in the Downgrade
>> specification.
> For the case of non-ASCII localparts, this has been discussed 
> extensively, and version 3 has been consistently rejected by
> the WG.
> 
> I haven't seen a discussion that focused on the
> ASCII at non-ASCII situation.

It seems to me that we have a tradeoff.  As Yao points out, no
presentation of punycode to a user is user-friendly.  Punycode
encoding can also be used to disguise various types of attacks
that would be obvious if the string were presented in "native"
form -- an analogy to the use of IP addresses, rather than
domain names, in URLs might apply here.     One can say "Since
attempting delivery is almost always better than failing...",
but perhaps this is one of the exceptions in which it is better
to get the failure message back to the sender and sending MUA in
the hope of getting the punycode change made there (or some
other decision being made).

In any event, it seems to me that the case for _requiring_
punycode conversion as a downgrade method is weaker than some of
this discussion would indicate.

    john

_______________________________________________
IMA mailing list
IMA at ietf.org
https://www.ietf.org/mailman/listinfo/ima

Follow-Ups:
- Re: [EAI] Add requirement for punycode conversions in downgrade
  - From: Ernie Dainow

References:
- [EAI] Add requirement for punycode conversions in downgrade
  - From: Ernie Dainow
- Re: [EAI] Add requirement for punycode conversions in downgrade
  - From: Harald Tveit Alvestrand

Prev by Date: Re: [EAI] Add requirement for punycode conversions in downgrade
Next by Date: Re: [EAI] Add requirement for punycode conversions in downgrade
Previous by thread: Re: [EAI] Add requirement for punycode conversions in downgrade
Next by thread: Re: [EAI] Add requirement for punycode conversions in downgrade
Index(es):
- Date
- Thread

Re: [EAI] Add requirement for punycode conversions in downgrade

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.