Issues in Identifier Comparison for Security Purposes
|The information below is for an old version of the document|
|Document||Type||Expired Internet-Draft (individual)|
|Intended RFC status||(None)|
Expired & archivedplain text pdf html bibtex
|RFC Editor Note||(None)|
Identifiers such as hostnames, URIs/IRIs, and email addresses are often used in security contexts to identify security principals and resources. In such contexts, an identifier supplied via some protocol is often compared against some policy to make security decisions such as whether the principal may access the resource, what level of authentication or encryption is required, etc. If the parties involved in a security decision use different algorithms to compare identifiers, then failure scenarios ranging from denial of service to elevation of privilege can result.
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)