[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] who should be doing IDN filtering

Thank you for the thoughtful comments. I'm going to cherry pick and just respond to the assertions I think are most germane to my original comment. (There's lots of other interesting issues, but not for here and now.)

1. I'm glad you recognize I am not advocating an enforcement regime. And I like consensus when we can get it. But I also don't mind market-based regimes with clear disclosure and labelling; in a managed space with artificial scarcity like the TLD-space, one way to get that is to increase supply. I recognize that some people are nervous about that, but it doesn't seem to dennigrate those concerns to also note that there can be advantages.

2. I do, however, disgree with the assertion that the gTLD space we have, or even the gTLD + ccTLD space, is a well-functioning competitive market at the registry level for reasons including first-mover advantages, locking, arbitrary semantic choices imposed by the regulator (ICANN) and so on. I could go on, or cite academic papers, but I know that you and the others who care have heard the arguments. I thus also think that in this environment there is little one can infer by registration patterns, which are driven by other things.

3. If we want or hope for innovative marketing or differentiation of gTLDs, the most likely way to get them is to create new ones. The IETF, and if memory serves you prominently among its active members, has expressed scepticism about this idea on many occasions.

4. The idea for an informational RFC in this area is no odder than, say, RFC 3675 (which is not intended as a comment on the merits of that document, but just a comment about its scope as it relates to the scope of this idea)...or even, dare I say it, RFC 3071.

5. I agree there would be a substantial drafting challenge to be overcome.


On Thu, 17 Feb 2005, John C Klensin wrote:



--On Thursday, 17 February, 2005 12:53 -0500 "Michael Froomkin -
U.Miami School of Law" <froomkin@law.miami.edu> wrote:

Assuming we can't cut ICANN out of the picture, isn't one
solution to lobby ICANN to allow for new TLDs with policies
that forbid misleading IDNs and let the marketplace sort it
out?


Michael,

"Misleading?"  Why should IDNs be any different from ASCII-only
labels?  "M1CR0S0FT" would certainly be a "misleading" label
from the point of view of the obvious company, but the community
concluded, long ago, that problem should be dealt with by UDRP
procedures or court action, not having some registry make up
rules about what can't be registered based on what someone else
thinks is "misleading".

For the special case of mixed-script labels, ICANN already has
guidelines in place that requires gTLDs who choose to register
IDNs to limit any given label to a single "language" or small
set of languages.  Those guidelines are, IMO, badly written and
ambiguous and need fixing, but, as far as I know, all of gTLDs
except two are conforming to those guidelines and, in
particular, not permitting registrations of strings for which
they don't have established language tables.   The registry for
the other two has apparently decided, partially for historical
reasons, to go ahead and register almost anything that doesn't
match a language for which they already have tables... a topic
that has been discussed on this list already.

The ccTLDs which have decided to deploy IDNs and who are not
bound by those guidelines, have, by and large, adopted registry
restriction rules that are intended to prevent mixed-script and
other types of IDN-baesd misleading names when feasible.   Some
of them are based on "characters in use in our territory" and
"names we need to be able to represent in order to assure
fairness" rules, rather than strict language or script rules,
but I suggest they are still within the general intent of
preventing misleading mixed-script labels when possible.   While
policies differ, most of the ccTLDs, and an even larger majority
of those operated to support DNS use in the relevant country,
are consistent with the general spirit of the ICANN guidelines.

Some of us continue to believe, I hope consistently, that
conformance based on consensus and conclusions that it is the
Right Thing to Do is much better than trying to devise an
enforcement regime.  I know you didn't suggest an enforcement
regime, but others in this discussion have come pretty close.
And, for prohibitions on registration of mixed-script misleading
names, the worldwide conformance level, among TLDs that have
deployed IDNs, to the general principle is fairly high.

As far as the marketplace sorting this out, I suggest that the
marketplace has already spoken, without any requirement to make
up new TLDs to seek a stronger message.  We have TLDs (country
code and generic) who prohibit IDN registrations.  We have TLDs
(again, both groups) who permit IDN registrations only if
languages are identified and script rules carefully adhered to.
And we have TLDs who permit registration of almost anything
permitted by IDNA, either explicitly or through some loophole.
What I haven't seen, before or after this latest
phishing-possibility demonstration, is a single instance of an
advertisement or press release that says "you should register in
our domain rather than theirs because our permitted-label rules
are more restrictive and hence will give you and your users
better assurances that they aren't being phished".  Nor have we
seen any symptoms of registrations migrating spontaneously among
domains to reflect those concerns.   If the marketplace has any
intent of speaking to this issue --or "sorting things out"-- it
is doing so in a whisper.

I am a little depressed by that.  I'd be much happier to see
"our domain is safer than their domain" ads and positive
responses to them, just as I would have been happy to see
"register in our domain because we promise to never try to
divert the typing mistakes of your users to your competitors" a
year or so ago.  But they don't happen.  And, using the second
case as an example, there is zero evidence that it has had any
marketplace effect on registrations.    The marketplace for
registrations just doesn't seem to care, and we don't need more
TLDs to tell us that.

Maybe the IETF could issue a statement of some sort on the
security implications of failing to allow such TLDs into the
marketplace?


For the mixed-script case and some related ones, such TLDs are
already in the marketplace and are actually the large majority
of TLDs.  There is a reason why that paypal example didn't show
up in AERO, BIZ, CH, CN, DE, INFO, INT, JP, ORG, SE, TW, and a
host of others -- it could not have been registered, either
because the registry prohibits mixed-script registrations or
because it is going slowly about IDN deployment, wanting others
to get more experience first.

So what would you like the IETF to say, exactly?  "Domains that
are being cautious about registrations should advertise the fact
better"?  Not exactly an IETF-type statement.   "Guidelines that
prevent obvious abuses are good"?  The IETF has already said
essentially that -- see the "IESG Statement" on IDNs -- and most
of the TLD registries are doing it as they deploy IDNs.  Or
perhaps "200 plus domains are already proceeding safely in this
area so security requires that we add a few more who will too"?
Doesn't pass the laugh test, at least from where I sit.

best,
    john


--
http://www.icannwatch.org   Personal Blog: http://www.discourse.net
A. Michael Froomkin   |    Professor of Law    |   froomkin@law.tm
U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA
+1 (305) 284-4285  |  +1 (305) 284-6506 (fax)  |  http://www.law.tm
                         -->It's cool here.<--