Re: [idn] IDN spoofing

From: Erik van der Poel (
Date: Sat Feb 19 2005 - 16:21:43 CST

  • Next message: Doug Ewell: "Re: [idn] IDN spoofing"


    I agree with a lot of what you are saying (particularly, the
    "semi-confusables"), but please allow me to counter you argument below,
    just for the sake of the argument. I am not saying that this is my
    "final" opinion. (People will have noticed that I change my opinion a
    lot. Sorry about that. :-)

    Doug Ewell wrote:
    > This is one of those problems for which
    > a partial solution simply isn't good enough.

    Maybe this is one of those problems for which *no* solution simply isn't
    good enough?

    I mean, I'll start with the Arial font found in Windows. Isn't it true
    that its cmap maps some characters to the same glyph index? And, even if
    someone tries to point out that Arial is a commercial product that
    someone may have been trying to get out the door quickly, thereby taking
    unjustified shortcuts, I'll point out that Michel Suignard himself
    (long-time Unicoder) already admitted that:

    # No languages used in the former soviet union should require a mix of
    # latin and cyrillic in a single dns label.
    # Unicode contains many latin homographs in the Cyrillic block exactly for
    # that reason, to avoid mixing the two scripts in a single word. It is
    # unfortunate that the exact visual match is now haunting us. However it
    # should not be used as a rationale to accept registration of mixed
    # Cyrillic/Latin labels by tld registries.

    This is from:

    Am I now going to see some senior Unicoders try to backpedal on these
    comments? :-)

    I hope not. A couple of senior Unicoders have already indicated that
    they are seriously considering this homograph issue, and kudos to them!

    > And for something like IDNs, once you have decided on a mapping, you can
    > never, ever change it. Otherwise you will have a domain name available
    > for registration by customer A today, but a similar one not available to
    > customer B six months later (or vice versa, A can't get it but B can).
    > Either way, you have a lawsuit.

    And that's how it should be. PayPal should sue those that registered
    fake names! :-)

    Well, PayPal will notice that some or all of them are just there to
    start this very discussion, and hopefully won't sue those poor engineers...

    More to the point, this ACE thing (ASCII Compatible Encoding) has a long
    history of incompatible prefixes. See section 5 of:

    As is the case in any network protocol migration endeavor, you may be
    able to take advantage of such incompatibilities to assist in (indeed,
    *allow*) migration. The critical thing is to have the systems support
    both the old and the new during the transition period. For example, a
    registry might support lookups from both old and new clients during the

    But of course, it will be very difficult (if not impossible) to delete
    some of the names that are determined to be (deliberate or accidental)
    spoofs of other (hopefully legitimate) names. Some of these parties have
    the resources to sue each other, but others are just, say, individuals
    who happen to be caught in the crossfire. Is it fair to delete their
    registrations? And even if it is, will the registries even bother to go
    through all this work? Finally, am I answering my own questions? :-)


    This archive was generated by hypermail 2.1.5 : Sat Feb 19 2005 - 16:23:03 CST