[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [idn] homograph attacks

To: "Erik van der Poel" <erik@vanderpoel.org>, "William Tan" <wil@dready.org>
Subject: RE: [idn] homograph attacks
From: "Michel Suignard" <michelsu@windows.microsoft.com>
Date: Wed, 16 Feb 2005 14:18:51 -0800
Cc: "Martin v. Löwis" <martin@v.loewis.de>, "Kane, Pat" <pkane@verisign.com>, <idn@ops.ietf.org>, <ericj@shmoo.com>, "tedd" <tedd@sperling.com>, <dam@icann.org>

I think that building language tables for Latin based writing systems is a nice but mostly futile exercise. Modern language are constantly borrowing from other languages using the same script. If you think that English only use a-z, A-Z, you are going to be surprised. Take for example 'Häagen-Dazs", isn't it an English brand? If not what is it? English is constantly using French and German words, among others, in everyday life usage. Think of English words such as naïve, naïvely and many others. Should non ascii letters in them they be excluded from 'english' tables?

I have seen European standard bodies spending forests of paper to try to establish these language tables, but there have never been an authoritative version because simply you can't.

It is not a bad idea to have language tables to filter, but you have to allow exception for the reasons exposed above.

Same is true for Cyrillic as well.

Furthermore most ccTLD won't follow any registry regulation imposed from outside. So any such regulation can only be hoped for, not expected in all cases. I can perfectly see that some gTLD and possibly few ccTLD will have such rules, but they will have to be fairly accommodating to accept reality.

Michel

-----Original Message-----
From: Erik van der Poel [mailto:erik@vanderpoel.org] 
Sent: Wednesday, February 16, 2005 1:20 PM
To: William Tan
Cc: "Martin v. Löwis"; Michel Suignard; Kane, Pat; idn@ops.ietf.org; ericj@shmoo.com; tedd; dam@icann.org
Subject: Re: [idn] homograph attacks

Hello all,

It seems to me that a registry should not allow the registration of an IDN domain name under a particular language if that registry does not have a table for that language.

When a registry *does* have a table for a particular language, the IDN domain name is restricted to the characters that appear in that table.

So, when there is *no* table for a language, then *no* characters should be allowed. In other words, no IDN domain names (starting with xn--) should be allowed.

Also, it seems to me that registries like COM could "stop the bleeding" 
(for now) by immediately deploying systems that enforce a policy where registrations for languages for which they do not have tables are rejected.

After that, they could continue to gather or compile tables.

Regards,

Erik van der Poel

William Tan wrote:
> 
> Pat can correct me if I'm wrong, but my understanding is that VGRS 
> does NOT have a table associated with the German language. So, if you 
> went ahead and register an IDN, and selected the German language, you 
> can pretty much register any label that is permitted by IDNA, 
> including characters that aren't remotely related to German.
> 
> Regsards,
> wil.

Follow-Ups:
- Re: [idn] homograph attacks
  - From: "Martin v. Löwis" <martin@v.loewis.de>

Prev by Date: Re: [idn] homograph attacks
Next by Date: Re: [idn] homograph attacks
Previous by thread: RE: [idn] homograph attacks
Next by thread: Re: [idn] homograph attacks
Index(es):
- Date
- Thread