Re: Phishing and enforcing Confusables.txt

From: Martin J. Dürst (
Date: Tue Nov 30 2010 - 00:33:03 CST

  • Next message: Kent Karlsson: "Re: Unihan number types and values"

    On 2010/11/30 5:01, Shriramana Sharma wrote:
    > On Mon, Nov 29, 2010 at 11:24 PM, Mark Davis ☕<> wrote:
    >> By "registry" I mean at any level. So just as .com regulates everything of
    >> the form, the entity responsible for controls
    >> everything of the form Thus there are literally millions
    >> of registries.
    > Just so that nobody gets frightened and accuses Unicode of making
    > security problems for their script -- the above comment only means
    > that for all (of the millions of) websites the owners of
    > have the power to ensure that is NOT
    > confusable with And the .com registry owners have the
    > same power to ensure that is not confusable with
    > Now the question is, is there only one owner of .com? ICANN? Who?

    "Owner" is a difficult term in the context of domain names. If the
    question is who is currently in control of .com, then this is easy to
    answer. The official list of all the top level registries is at:
    There you see that VeriSign Global Registry Services is in charge. will give you more details.

    Ken mentioned registrars, but these are the front ends dealing with
    customer service,... Actual control is with the registries. A registrar
    can never register something that the registry in charge will not allow.
    There are some top level registries that also serve as their only
    registrars, and on the other hand, there are some top level registries
    that are served by many registrars. .com is of the later kind. I'd think
    that because of the popularity of .com, the number of registrars for
    .com may easily be the largest for any domain.

    A registrar can select to only register a subset of the domain names
    offered by the registry they serve (a registrar in India could refuse to
    register Greek domain names because they don't understand the Greek
    script well enough to provide a good service), but they cannot register
    anything that the registry won't allow.

    The relationship between ICANN and each registry varies. For some very
    new registries, ICANN has a strong control via contracts that they set
    up when they agreed to the creation of that domain. For some others,
    they are just giving advice. This applies to most country code top level
    domains, and also to very traditional domains such as .com.

    > If this entity chooses to enforce confusables (does it?) then
    > *wherever* a domain is registered it cannot be confusable with an
    > existing domain name? To be precise, if my old example of ಅರಗ.com is
    > registered in India, then అరగ.com cannot be registered *anywhere in
    > the world*?

    Yes, of course. The domain name system is global. Each domain (starting
    with what you could call 0-level domain, which contains the top level
    domains) only has one controlling entity. Each domain resolves the same
    way all around the world. If something is registered with .com, then as
    soon as you register it, e.g. with a registrar in India, it gets
    registered in the registry, i.e. with VeriSign.

    Because .com is very global in use, when IDNA started (and even before
    experimentally), VeriSign was registering domain names in all kinds of
    scripts. For a long time, they also allowed registration of mixed-script
    names. This lead to the "paypal scare", where a security researcher
    registered with a Cyrillic 'a'.

    While ICANN cannot do much more than provide advice to most registries,
    some browser makers (in particular Mozilla) have tried to evaluate the
    policy of each top-level registry with regards to internationalized
    domain names, and use this to decide whether to show the domain name
    with real characters or encoded (using punycode). If you try in Firefox,
    you will see that అరగ.com and అరగ.ru show as punycode, but అరగ.jp and
    అరగ.рф show as characters in the address bar. (Non of them resolves, and
    in all cases, a "Network Error" page shows punycode.) For details,
    please see This
    may lead to pressure on the registries to create (or publish) and update
    their registry policies.

    Regards, Martin.

    #-# Martin J. Dürst, Professor, Aoyama Gakuin University

    This archive was generated by hypermail 2.1.5 : Tue Nov 30 2010 - 00:38:58 CST