[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] Re: nameprep, IDN spoofing and the registries

To: idn@ops.ietf.org, unicode@unicode.org
Subject: Re: [idn] Re: nameprep, IDN spoofing and the registries
From: Erik van der Poel <erik@vanderpoel.org>
Date: Tue, 22 Feb 2005 09:41:37 -0800
In-reply-to: <20050222132656.GA13173@nic.fr>
References: <BE3FE373.C6C%haberg@math.su.se> <421A3E9C.5020204@vanderpoel.org> <f3aaace6b9037e8383c412d9e24b18db@gwg-associates.com.au> <421AC08F.2030207@vanderpoel.org> <20050222132656.GA13173@nic.fr>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

As George points out, the registries are going to have to start
filtering IDN lookalikes, otherwise they will eventually face
lawsuits from the "big boys" (as George so delightfully puts it).


Quite the opposite: according to our lawyer, if the process is
completely automatic (no human eyes involved), you can disclaim any
responsability. But if you do screen, you accept a liability if the
screening fails (and it will fail, trying to catch homographs is an
hopeless task).

I seriously doubt that european registries, which all moved from a
"screen every domain to check if it is legal" model to a "accept
anything" model in the '90s will go back...

Chuckle. That's funny. Here I am telling a mathematician to think more like a network engineer, then I turn around and say something about law even though I'm not a lawyer!

Seriously, I did not say that human eyes would do the filtering (though of course humans would have to come up with the policies and code to do the filtering).

So, if a registry can claim that it can disclaim responsibility for spoofing *because* it is using an automatic registration process, then wouldn't it be possible for someone (or a class action) to claim that their automatic process isn't good enough? I mean, we all know where the obvious homographs are, and any engineer can tell you that it is easy to write a program to generate all the spoofs from those, or to filter them.

This may be a gray area that I believe Peter may have been referring to when he said that in some countries it might be possible to force the registry to change.

As it turns out, mozilla.org has also discussed the idea that Mozilla may not want to try to solve the IDN spoofing problem, since it cannot accept the legal responsibility for doing so.

Is the Unicode Consortium now also going to say "Sorry, we cannot provide homograph tables because we cannot be held responsible for any spoofing that may occur."?

Is everyone just going to pass the buck? How sad.

By the way, not all European registries "accept anything". Some of them are checking a character inclusion table to see if the domain name is allowed. What do you say to this?

Erik

References:
- Re: [idn] IDN spoofing
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] nameprep, IDN spoofing and the registries
  - From: Erik van der Poel <erik@vanderpoel.org>
- [idn] Re: nameprep, IDN spoofing and the registries
  - From: Stephane Bortzmeyer <bortzmeyer@nic.fr>

Prev by Date: Re: [idn] Re: nameprep, IDN spoofing and the registries
Next by Date: [idn] nameprep2 and the slash homograph issue
Previous by thread: Re: [idn] Re: nameprep, IDN spoofing and the registries
Next by thread: Re: [idn] IDN spoofing
Index(es):
- Date
- Thread