Re: [idn] Re: nameprep, IDN spoofing and the registries

From: Erik van der Poel (erik@vanderpoel.org)
Date: Tue Feb 22 2005 - 11:41:37 CST

  • Next message: Hans Aberg: "Re: [idn] IDN spoofing"

    >>As George points out, the registries are going to have to start
    >>filtering IDN lookalikes, otherwise they will eventually face
    >>lawsuits from the "big boys" (as George so delightfully puts it).
    >
    > Quite the opposite: according to our lawyer, if the process is
    > completely automatic (no human eyes involved), you can disclaim any
    > responsability. But if you do screen, you accept a liability if the
    > screening fails (and it will fail, trying to catch homographs is an
    > hopeless task).
    >
    > I seriously doubt that european registries, which all moved from a
    > "screen every domain to check if it is legal" model to a "accept
    > anything" model in the '90s will go back...

    Chuckle. That's funny. Here I am telling a mathematician to think more
    like a network engineer, then I turn around and say something about law
    even though I'm not a lawyer!

    Seriously, I did not say that human eyes would do the filtering (though
    of course humans would have to come up with the policies and code to do
    the filtering).

    So, if a registry can claim that it can disclaim responsibility for
    spoofing *because* it is using an automatic registration process, then
    wouldn't it be possible for someone (or a class action) to claim that
    their automatic process isn't good enough? I mean, we all know where the
    obvious homographs are, and any engineer can tell you that it is easy to
    write a program to generate all the spoofs from those, or to filter them.

    This may be a gray area that I believe Peter may have been referring to
    when he said that in some countries it might be possible to force the
    registry to change.

    As it turns out, mozilla.org has also discussed the idea that Mozilla
    may not want to try to solve the IDN spoofing problem, since it cannot
    accept the legal responsibility for doing so.

    Is the Unicode Consortium now also going to say "Sorry, we cannot
    provide homograph tables because we cannot be held responsible for any
    spoofing that may occur."?

    Is everyone just going to pass the buck? How sad.

    By the way, not all European registries "accept anything". Some of them
    are checking a character inclusion table to see if the domain name is
    allowed. What do you say to this?

    Erik



    This archive was generated by hypermail 2.1.5 : Tue Feb 22 2005 - 11:42:19 CST