Open dstadulis opened 11 months ago
Crypt-iQ
commented
11 months ago Using only an asset's name is fragile imo because it's hard to tell the difference between some ascii characters like l and I or l and 1. Isn't there an asset hash that people can use instead?
jharveyb
commented
11 months ago Some notes on normalization that help avoid some cases of this:
https://go.dev/blog/normalization
Using only an asset's name is fragile imo because it's hard to tell the difference between some ascii characters like
landIorland1. Isn't there an asset hash that people can use instead?
Yes, the asset ID would be unique even across visually-similar asset tags. I think option 3 / convert asset ID to visual fingerprint seems best.
You could maybe have a universe reject visually-similar asset tags but that doesn't sound robust tbh / adds a form of squatting.
Crypt-iQ
commented
11 months ago Another string that might be sensitive (adding to the list) is the proof courier address
Background
As a
taproot-assets userI want toonly need to visually inspect an asset namein order toconfirm that a bootstrapped asset has the name I believe it should haveAs a
taproot-assets asset issuerI want toensure that my asset name cannot be confused with visually indistinguishable asset namesin order topreserve my asset's name recognition and deny fraudGiven that many unicode glyphs appear visually indistinguishable from each other but map to different code points, there is a potential attack vector against humans visually comparing asset names in which an attacker could attempt to defraud a user by using two homoglyphs. Domain names call this the IDN homograph attack
Mitigation options
Strings sensitive homograph attacks: