RE: Phishing and enforcing Confusables.txt

From: CE Whitehead (
Date: Mon Nov 29 2010 - 17:16:59 CST

  • Next message: Kenneth Whistler: "Re: Phishing and enforcing Confusables.txt"


    > Date: Tue, 30 Nov 2010 01:31:09 +0530
    > Subject: Re: Phishing and enforcing Confusables.txt
    > From:
    > To:;;
    > CC:
    > On Mon, Nov 29, 2010 at 11:24 PM, Mark Davis ☕ <> wrote:
    > > By "registry" I mean at any level. So just as .com regulates everything of
    > > the form, the entity responsible for controls
    > > everything of the form Thus there are literally millions
    > > of registries.
    > Just so that nobody gets frightened and accuses Unicode of making
    > security problems for their script -- the above comment only means
    > that for all (of the millions of) websites the owners of
    > have the power to ensure that is NOT
    > confusable with And the .com registry owners have the
    > same power to ensure that is not confusable with
    > Now the question is, is there only one owner of .com? ICANN? Who?
    "A TLD identifies something about the website associated with it, such as its purpose, the organization that owns it or the geographical area where it originates. Each TLD has a separate registry managed by a designated organization under the direction of the Internet Corporation for Assigned Names and Numbers (ICANN)."
    there is a new proposal to allow more tld's of course
    I think there is also now a system of verifying domains all the way through the root in place . . . "
    Each owner of a tld maintains a list of allowed characters; for example Saudi Arabia allows just the Arabic consonants (none of the alternate forms and none of the vowelled forms) but both Eastern and Western Indic digits (so digits 0 - 3 and 7 - 9 I believe have duplicates that look alike but that's it for Saudi Arabia) -- last checked I've lost the page but I'm sure I can find it.

    > If this entity chooses to enforce confusables (does it?) then
    > *wherever* a domain is registered it cannot be confusable with an
    > existing domain name? To be precise, if my old example of ಅರಗ.com is
    > registered in India, then అరగ.com cannot be registered *anywhere in
    > the world*?

    Registration Abuse Policy Working Group created in Dec 2009 this is final report

    (I can summarize of Report redlined 27 May 2010 draft to those interested; info here is taken from that; I see no reason to futher clutter here; it may take a few days though for me to respond with summary)
    The report:
    defines abuse
    * causes harm -- that is not just fair market competition
    * is illegal or illegitimate
    - desire to differentiate between registration/use abuse (since ICANN only governs registration) but plan is first to define registration)
    - desires to establish what aspects of registration abuse are "within ICANN's mission to address" and for which ICANN "may establish policies that are binding" on gTLD registry operators and ICANN-accredited registrars (I presume these would be the top-level registrar; for example if I owned a site a tripon and I was able to give someone -- I need clarification here, who would accredit/vouch for whom in this?
    - desire is to have practices for suspending domain names; plan to survey registrars and registries to determine practices currently used; a few members believe ICANN can impose mandatory policies/practices when domain names are used illicitly.
    - desire is to fix "whois" blocks and such
    (The report looks at deceptive use of domain names and traffic diversion as well as absolutely abusive issues such as phishing -- legally these can almost overlap I think [this last is my comment; thus was created to spoof the Republic-led at the time when Obama was elected had links to today it has student loan links].
    WHAT HAS BEEN DONE TO DATE (that I can see)
    Made policy changes for domain tasting (a related issue) and also state that provision of false "whois" info can result in cancellation of domain registration (another related issue)
    Emphasizes that ICANN cannot enforce use policies just registration policies so all depends whether registration of look-alike domain names falls under use or registration . . . it depends in part on how it's to be used but the group does take an interest in the uniqueness of strings . . . and sees this as a registration issue (thus character spoofing is different from 's mimicking
    Now plans to collect and disseminate best practices related to aspects of domain name registration/management -- your ideas may still be welcome: "Unanimous consensus for creation of non-binding best practices to help registrars and registries address the use of illicit domain names" (see pp. 50-71 of report; best practices for creating anti-abuse terms of service for inclusion in registrar-registrant agtreements and for use by TLD operators plus "practices for identifying and investigating common forms of malicious use" ; also unanimous consensus for creating and supporting structured and funded mechanisms for creating best practices -- don't know what these will be and I'm stil going through the whole report).
    --C. E. Whitehead
    > Is that right? The above is what is desired to avoid phishing...
    > Shriramana.

    This archive was generated by hypermail 2.1.5 : Mon Nov 29 2010 - 17:19:45 CST