Re: [idn] homograph attacks

["Martin v. Löwis" <martin@v.loewis.de>]

Thomas Keller wrote:
> I'm by no means a linguist but I would assume that there are a plethora
> of good and usefull mixtures of scripts that exist in daily life. Passing 
> this problem (of which all of us have been aware of for years now) back 
> to the policy arena won't help anyone since I doubt that there can be any 
> kind working group (now or in the future) that can come up with a good 
> rational for all scripts and languages without restricting "good" and usefull 
> mixtures. 

Right. So what the working groups do is to come up with a good rationale
for all scripts and languages that *do* restrict "good" and useful
mixtures. I find no problems in that restrictions: it is better to be
restrictive now and permissive later than the other way 'round.

> By design the IDNA processing happens inside the application and therefore in 
> my thinking the applications are the right place for any security meassures 
> as well.

Not only. Right from the beginning, the idea was to enforce policy in
the registry.

> Talking about about security measures we have to think about what
> exactly we want to prevent from happening. 

In the specific case, I think paypal.com with a Cyrillic "a" should
have been prevented from becoming registered.

Regards,
Martin