Re: [idn] Re: nameprep, IDN spoofing and the registries

["JFC (Jefsey) Morfin" <jefsey@jefsey.com>]

At 14:26 22/02/2005, Stephane Bortzmeyer wrote:
> On Mon, Feb 21, 2005 at 09:18:07PM -0800,
>  Erik van der Poel <erik@vanderpoel.org> wrote
>  a message of 218 lines which said:
>
> > As George points out, the registries are going to have to start
> > filtering IDN lookalikes, otherwise they will eventually face
> > lawsuits from the "big boys" (as George so delightfully puts it).
>
> Quite the opposite: according to our lawyer, if the process is
> completely automatic (no human eyes involved), you can disclaim any
> responsability. But if you do screen, you accept a liability if the
> screening fails (and it will fail, trying to catch homographs is an
> hopeless task).
>
> I seriously doubt that european registries, which all moved from a
> "screen every domain to check if it is legal" model to a "accept
> anything" model in the '90s will go back...

Full agreement. Now, only for the reasons explained below, I am ready to 
test and propose several ccTLDs a filtering experimentation.

1. I filter the registered names (against foul names, blocked names) at 
registration level, before accepting payment.
2. the filtering will therefore be on xn--entries strings.

This being accepted:

1. could someone point a "C" source code to carry what has to be carried to 
filter out the dangerous names? Please help: I have no resource on this.
2. could someone list all the Unicode codes to blacklist that way?
3. could someone point a Perl code to use to enter a IDN and to get it 
properly punycoded, which could use such a list.

My rationale is that I only want to protect my own operations from 
confusion. I will only extend the description of the non-authorized 
characters in the terms and conditions. If this works properly I will 
describe the solution and experience in a for information Draft and a 
request to the IANA to list a Unicode black list.

jfc


jfc