Re: [idn] who should be doing IDN filtering

["Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>]

Eric Johanson <ericj@shmoo.com> wrote:

> Are you sure that it's the registrars/TLDs/etc whom should be doing
> this filtering?

I think registries should be doing filtering, but I don't think browsers
should depend on it, because it's already too late, as the paypal
example proves.  I think browsers (and in general, applications that
receive domain names from untrusted sources and display them to the user
as IDNs) ought to provide a second line of defense by trying to expose
suspicious domain names.

> Because this 'language tag' is only available to registrars (when I
> say registrars, I mean anyone involved with the registration of a
> new domain, on any TLD), I suspect it makes it impractical to do the
> filtering at the browser/application level.

I don't see why.

> ...assuming we can make the language tag available via some dns tricks or 
> some API...

I don't see that happening.  The IDN working group decided quite
deliberately that domain names would not contain any meta-info like
language tags; they're just text strings.

Still, I expect that some not-terribly-complex heuristics, based only
on the bare character strings, could go a long way toward exposing
suspicious domain names.

AMC