A while back there was some discussion of security. You could start by
checking the list archies for those threads.
> Is Unicode secure? What character standards can be
> considered secure?
What does "security" really mean for a character encoding?
In my opinion, security is related to bugs in software, not to
specifications of character encodings. No matter what character encoding
you use, you are subject to certains types of security problems in certain
environments if you don't write correct and robust programs!
The uneasiness you are experiencing at this time is manifest only because
Unicode is a relatively new character encoding and software/program
environments in which Unicode is found have not been subjected to the same
degree of scrutiny and analysis as previous environments which used, for
example, only ASCII.
> I would also like to know your opinion about the
> need to create another or an 'intermediate' standard.
There is no need to do that. The scenarios you present are related to
misinterpretations by software, not to any real problems with the
specification of Unicode itself. If you precisely specify the input that
your software will accept in secure situations where interpretation
matters, and specify what things your software will NOT accept as
substitutes, then you will not have these kinds of security problems.
There is, perhaps, a need for the security community to discuss the types
of security attacks that could be mounted against naive software that
accepts Unicode strings in secure situations.
That's my opinion.
Rick
This archive was generated by hypermail 2.1.2 : Sat Feb 02 2002 - 22:08:50 EST