[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] IDN spoofing

To: George W Gerrity <g.gerrity@gwg-associates.com.au>
Subject: Re: [idn] IDN spoofing
From: William Tan <wil@dready.org>
Date: Mon, 21 Feb 2005 22:36:50 +1100
Cc: List Unicode <unicode@unicode.org>, idn@ops.ietf.org
In-reply-to: <4aba7a4184c288476e81eadc047c15c8@gwg-associates.com.au>
References: <4aba7a4184c288476e81eadc047c15c8@gwg-associates.com.au>
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

George W Gerrity wrote:

For the second-level (or third-level where the top is a country code) domain tag, it should be the legal responsibility of the name authorities for the domain above to ensure that spoofed names cannot be registered (or if registered, all belong to one owner). In the Western world, if that is not already the case, then I'm sure that the first time a spoof of, say Coca-Cola (or Pepsi â let's be even-handed) is registered, then we can be certain that afterwards, the issuing authority will never do it again.

While it is true that TLDs are responsible for preventing the registration of spoofs, commercial TLDs that have automated registration systems never perform that check. Does registering coca-cola.com prevent someone else from getting coca-co1a.com?

In the case of countries whose law systems are still a bit wild and wooly (The former Soviet Union?), then I suspect that for the time being it will remain âCaveat Emptorâ. In either case, a domain name holder should be able to license all spoofs for free, in order to limit its exposure to spoofing, whether or not there is adequate legal recourse.

If the TLD operator is careful, there is no need to license spoofs to protect one's domain from being spoofed. On the other hand, if the TLD does not even perform that check (such as .com), then it is unlikely that you get to license all spoofs for free anyway - you have to pay for each and every permutation of it.

The point I'm making is that while the authorities for .com.au or .com.ru may do what they like, we can at least give them advice plus some tables that will detect many, if not most, spoofs. In the case where the authority allows (for whatever reason) a name with mixed orthographies, then clearly the first to apply whose signature is not a spoof for an (already well-established) trade-marked name or domain name, should get the license, and all other applicants with a similar name be refused. The name authority should be protected by the laws of the countries in which it operates from being sued for refusing to register confusable names.

This is a fairly interesting proposal, i.e. to use the bundling (see draft-klensin-reg-guidelines or rfc3743) to solve the homograph problem at the registry level, provided we can come up with a satisfactory table of lookalikes.

As an example, the word "coke" can be represented completely in Cyrillic homographs, so one can generate 16 combinations of ASCII and Cyrillic characters forming strings that look like "coke". When you register "coke.com", the other 16 variants are automatically tied to this domain (for free or for a fee). They can be either all activated (put into the zone file) or simply blocked from registration.

The good thing about this is that the lookalikes mapping table does not have to be set-in-stone at the protocol level, but individual registries may choose to implement whatever makes sense for them.

The problem with this is that the number of variants gets out of hand pretty quickly, and most registry systems aren't equipped to deal with bundles.

wil.

Follow-Ups:
- Re: [idn] IDN spoofing
  - From: Erik van der Poel <erik@vanderpoel.org>

Prev by Date: Re: [idn] upstream and downstream
Next by Date: Re: [idn] quick & dirty (but not too dirty) homograph defense
Previous by thread: Re: [idn] IDN spoofing
Next by thread: Re: [idn] IDN spoofing
Index(es):
- Date
- Thread