Re: [idn] IDN spoofing

From: William Tan (
Date: Mon Feb 21 2005 - 05:36:50 CST

  • Next message: "Codepoint Differentiation"

    George W Gerrity wrote:

    > For the second-level (or third-level where the top is a country code)
    > domain tag, it should be the legal responsibility of the name
    > authorities for the domain above to ensure that spoofed names cannot
    > be registered (or if registered, all belong to one owner). In the
    > Western world, if that is not already the case, then I'm sure that the
    > first time a spoof of, say Coca-Cola (or Pepsi — let's be even-handed)
    > is registered, then we can be certain that afterwards, the issuing
    > authority will never do it again.

    While it is true that TLDs are responsible for preventing the
    registration of spoofs, commercial TLDs that have automated registration
    systems never perform that check. Does registering prevent
    someone else from getting

    > In the case of countries whose law systems are still a bit wild and
    > wooly (The former Soviet Union?), then I suspect that for the time
    > being it will remain ‘Caveat Emptor’. In either case, a domain name
    > holder should be able to license all spoofs for free, in order to
    > limit its exposure to spoofing, whether or not there is adequate legal
    > recourse.

    If the TLD operator is careful, there is no need to license spoofs to
    protect one's domain from being spoofed. On the other hand, if the TLD
    does not even perform that check (such as .com), then it is unlikely
    that you get to license all spoofs for free anyway - you have to pay for
    each and every permutation of it.

    > The point I'm making is that while the authorities for or
    > may do what they like, we can at least give them advice plus
    > some tables that will detect many, if not most, spoofs. In the case
    > where the authority allows (for whatever reason) a name with mixed
    > orthographies, then clearly the first to apply whose signature is not
    > a spoof for an (already well-established) trade-marked name or domain
    > name, should get the license, and all other applicants with a similar
    > name be refused. The name authority should be protected by the laws of
    > the countries in which it operates from being sued for refusing to
    > register confusable names.

    This is a fairly interesting proposal, i.e. to use the bundling (see
    draft-klensin-reg-guidelines or rfc3743) to solve the homograph problem
    at the registry level, provided we can come up with a satisfactory table
    of lookalikes.

    As an example, the word "coke" can be represented completely in Cyrillic
    homographs, so one can generate 16 combinations of ASCII and Cyrillic
    characters forming strings that look like "coke". When you register
    "", the other 16 variants are automatically tied to this domain
    (for free or for a fee). They can be either all activated (put into the
    zone file) or simply blocked from registration.

    The good thing about this is that the lookalikes mapping table does not
    have to be set-in-stone at the protocol level, but individual registries
    may choose to implement whatever makes sense for them.

    The problem with this is that the number of variants gets out of hand
    pretty quickly, and most registry systems aren't equipped to deal with


    This archive was generated by hypermail 2.1.5 : Mon Feb 21 2005 - 13:48:59 CST