Re: [idn] who should be doing IDN filtering

[John C Klensin <klensin@jck.com>]

--On Thursday, 17 February, 2005 12:53 -0500 "Michael Froomkin -
U.Miami School of Law" <froomkin@law.miami.edu> wrote:

> Assuming we can't cut ICANN out of the picture, isn't one
> solution to lobby ICANN to allow for new TLDs with policies
> that forbid misleading IDNs and let the marketplace sort it
> out?

Michael,

"Misleading?"  Why should IDNs be any different from ASCII-only
labels?  "M1CR0S0FT" would certainly be a "misleading" label
from the point of view of the obvious company, but the community
concluded, long ago, that problem should be dealt with by UDRP
procedures or court action, not having some registry make up
rules about what can't be registered based on what someone else
thinks is "misleading".

For the special case of mixed-script labels, ICANN already has
guidelines in place that requires gTLDs who choose to register
IDNs to limit any given label to a single "language" or small
set of languages.  Those guidelines are, IMO, badly written and
ambiguous and need fixing, but, as far as I know, all of gTLDs
except two are conforming to those guidelines and, in
particular, not permitting registrations of strings for which
they don't have established language tables.   The registry for
the other two has apparently decided, partially for historical
reasons, to go ahead and register almost anything that doesn't
match a language for which they already have tables... a topic
that has been discussed on this list already.

The ccTLDs which have decided to deploy IDNs and who are not
bound by those guidelines, have, by and large, adopted registry
restriction rules that are intended to prevent mixed-script and
other types of IDN-baesd misleading names when feasible.   Some
of them are based on "characters in use in our territory" and
"names we need to be able to represent in order to assure
fairness" rules, rather than strict language or script rules,
but I suggest they are still within the general intent of
preventing misleading mixed-script labels when possible.   While
policies differ, most of the ccTLDs, and an even larger majority
of those operated to support DNS use in the relevant country,
are consistent with the general spirit of the ICANN guidelines.

Some of us continue to believe, I hope consistently, that
conformance based on consensus and conclusions that it is the
Right Thing to Do is much better than trying to devise an
enforcement regime.  I know you didn't suggest an enforcement
regime, but others in this discussion have come pretty close.
And, for prohibitions on registration of mixed-script misleading
names, the worldwide conformance level, among TLDs that have
deployed IDNs, to the general principle is fairly high.

As far as the marketplace sorting this out, I suggest that the
marketplace has already spoken, without any requirement to make
up new TLDs to seek a stronger message.  We have TLDs (country
code and generic) who prohibit IDN registrations.  We have TLDs
(again, both groups) who permit IDN registrations only if
languages are identified and script rules carefully adhered to.
And we have TLDs who permit registration of almost anything
permitted by IDNA, either explicitly or through some loophole.
What I haven't seen, before or after this latest
phishing-possibility demonstration, is a single instance of an
advertisement or press release that says "you should register in
our domain rather than theirs because our permitted-label rules
are more restrictive and hence will give you and your users
better assurances that they aren't being phished".  Nor have we
seen any symptoms of registrations migrating spontaneously among
domains to reflect those concerns.   If the marketplace has any
intent of speaking to this issue --or "sorting things out"-- it
is doing so in a whisper.  

I am a little depressed by that.  I'd be much happier to see
"our domain is safer than their domain" ads and positive
responses to them, just as I would have been happy to see
"register in our domain because we promise to never try to
divert the typing mistakes of your users to your competitors" a
year or so ago.  But they don't happen.  And, using the second
case as an example, there is zero evidence that it has had any
marketplace effect on registrations.    The marketplace for
registrations just doesn't seem to care, and we don't need more
TLDs to tell us that.

> Maybe the IETF could issue a statement of some sort on the
> security implications of failing to allow such TLDs into the
> marketplace?

For the mixed-script case and some related ones, such TLDs are
already in the marketplace and are actually the large majority
of TLDs.  There is a reason why that paypal example didn't show
up in AERO, BIZ, CH, CN, DE, INFO, INT, JP, ORG, SE, TW, and a
host of others -- it could not have been registered, either
because the registry prohibits mixed-script registrations or
because it is going slowly about IDN deployment, wanting others
to get more experience first.

So what would you like the IETF to say, exactly?  "Domains that
are being cautious about registrations should advertise the fact
better"?  Not exactly an IETF-type statement.   "Guidelines that
prevent obvious abuses are good"?  The IETF has already said
essentially that -- see the "IESG Statement" on IDNs -- and most
of the TLD registries are doing it as they deploy IDNs.  Or
perhaps "200 plus domains are already proceeding safely in this
area so security requires that we add a few more who will too"?
Doesn't pass the laugh test, at least from where I sit.

best,
     john