Issues in Identifier Comparison for Security Purposes

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Author Dave Thaler 
Last updated 2011-07-02
Stream Internet Architecture Board (IAB)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Additional Resources
Stream IAB state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Identifiers such as hostnames, URIs/IRIs, and email addresses are often used in security contexts to identify security principals and resources. In such contexts, an identifier supplied via some protocol is often compared against some policy to make security decisions such as whether the principal may access the resource, what level of authentication or encryption is required, etc. If the parties involved in a security decision use different algorithms to compare identifiers, then failure scenarios ranging from denial of service to elevation of privilege can result.


Dave Thaler (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)