Re: [bug-libunistring] Unicode security specifications

[Simon Josefsson]

ons 2024-01-31 klockan 16:54 +0100 skrev Bruno Haible:
> Hi Simon,
> 
> The Unicode 15.1.0 announcement [1] says:
>   "Security-related updates have been made to
>      UAX #9, Unicode Bidirectional Algorithm
>    and
>      UAX #31, Unicode Identifiers and Syntax
>    along with updates to
>      UTS #39, Unicode Security Mechanisms.
>    These updates complement the release of a new Unicode Technical
> Standard,
>      UTS #55, Unicode Source Code Handling."
> 
> Do you have a feeling on the importance of these specifications?
> Which types of applications could make use of them, and for which
> applications are they mandatory or highly recommended?

Hi.  That is a good question, and I've been trying to wrap my head
around the changes in 15.1 and their impact for IDNA.  Definitely UAX#9
is relevant, but I'm sure the others could have impact as well.  The
changelogs are useless to me for finding out what the security problems
they refer to are, and I didn't easily find a way to diff the revisions
easily.  The standards are either very low-level or high-level so it is
also difficult to extract any real practical consequences from low-
level modifications.

Btw, I am working on adding self-test that parses UTC's IdnaTestV2.txt
for libidn2 to better have confidence in any changes, and wanted to
wait if I can finish that before upgrading the included libunistring
from 15.0 to 15.1 in libidn2, to see if that change introduces any
regressions or changed behaviour.  Unfortunately, I noticed some
deviations between libidn2 and TR46 so resolving that needs to be
finished first, and it doesn't look trivial.

/Simon

> 
>       Bruno
> 
> [1]
> http://blog.unicode.org/2023/09/announcing-unicode-standard-version-151.html
> 
> 
>

signature.asc
Description: This is a digitally signed message part