RE: Phishing and enforcing Confusables.txt

From: CE Whitehead (
Date: Tue Nov 30 2010 - 18:27:47 CST


> Date: Tue, 30 Nov 2010 15:33:03 +0900
> From:
> To:
> CC:;;;
> Subject: Re: Phishing and enforcing Confusables.txt
> On 2010/11/30 5:01, Shriramana Sharma wrote:
> > On Mon, Nov 29, 2010 at 11:24 PM, Mark Davis ☕<> wrote:
> >> By "registry" I mean at any level. So just as .com regulates everything of
> >> the form, the entity responsible for controls
> >> everything of the form Thus there are literally millions
> >> of registries.
> >
> > Just so that nobody gets frightened and accuses Unicode of making
> > security problems for their script -- the above comment only means
> > that for all (of the millions of) websites the owners of
> > have the power to ensure that is NOT
> > confusable with And the .com registry owners have the
> > same power to ensure that is not confusable with
> >
> >
> > Now the question is, is there only one owner of .com? ICANN? Who?
> "Owner" is a difficult term in the context of domain names. If the
> question is who is currently in control of .com, then this is easy to
> answer. The official list of all the top level registries is at:
> There you see that VeriSign Global Registry Services is in charge.
> will give you more details.
> Ken mentioned registrars, but these are the front ends dealing with
> customer service,... Actual control is with the registries. A registrar
> can never register something that the registry in charge will not allow.
> There are some top level registries that also serve as their only
> registrars, and on the other hand, there are some top level registries
> that are served by many registrars. .com is of the later kind. I'd think
> that because of the popularity of .com, the number of registrars for
> .com may easily be the largest for any domain.
> A registrar can select to only register a subset of the domain names
> offered by the registry they serve (a registrar in India could refuse to
> register Greek domain names because they don't understand the Greek
> script well enough to provide a good service), but they cannot register
> anything that the registry won't allow.
> The relationship between ICANN and each registry varies. For some very
> new registries, ICANN has a strong control via contracts that they set
> up when they agreed to the creation of that domain. For some others,
> they are just giving advice. This applies to most country code top level
> domains, and also to very traditional domains such as .com.
> > If this entity chooses to enforce confusables (does it?) then
> > *wherever* a domain is registered it cannot be confusable with an
> > existing domain name? To be precise, if my old example of ಅರಗ.com is
> > registered in India, then అరగ.com cannot be registered *anywhere in
> > the world*?
> Yes, of course. The domain name system is global. Each domain (starting
> with what you could call 0-level domain, which contains the top level
> domains) only has one controlling entity. Each domain resolves the same
> way all around the world. If something is registered with .com, then as
> soon as you register it, e.g. with a registrar in India, it gets
> registered in the registry, i.e. with VeriSign.
> Because .com is very global in use, when IDNA started (and even before
> experimentally), VeriSign was registering domain names in all kinds of
> scripts. For a long time, they also allowed registration of mixed-script
> names. This lead to the "paypal scare", where a security researcher
> registered with a Cyrillic 'a'.
> While ICANN cannot do much more than provide advice to most registries,
> some browser makers (in particular Mozilla) have tried to evaluate the
> policy of each top-level registry with regards to internationalized
> domain names, and use this to decide whether to show the domain name
> with real characters or encoded (using punycode). If you try in Firefox,
> you will see that అరగ.com and అరగ.ru show as punycode, but అరగ.jp and
> అరగ.рф show as characters in the address bar. (Non of them resolves, and
> in all cases, a "Network Error" page shows punycode.) For details,
> please see
> This
> may lead to pressure on the registries to create (or publish) and update
> their registry policies.
> Regards, Martin.

Hi. Thanks for this info Martin.
Some registries lodge tables of permitted characters at iana; see:
(the one lodged for the .sa domain Arabic language is well thought-out I think:
both sets of digits are allowed but they are folded )
No table is lodged at iana for any language for .com; however --
and thanks for directing me to verisign for .com (I should have known verisign was the registry too as I have a .com)
  -- there are lists of permitted characters at verisign (the other place you find tables of allowed characters besides iana is the registry itself):

Here (from the same page) are verisign's comments on similar-looking domain names (the example given is traditional and simplified Chinese domain names which may mean the same thing to some users):
". . . Verisign provides a list of permitted characters for some languages . . . - "
Verisign also uses language tags and requires that an idn be associated with a specific language with a character set that can be identified by a language tag (thus no mixed-script spoofing -- and I think Martin's comments seem to say this was a past issue) :
So one option would be as Martin suggests to contact verisign regarding permitted characters for .com

--C. E. Whitehead
> #-# Martin J. Dürst, Professor, Aoyama Gakuin University
> #-#


This archive was generated by hypermail 2.1.5 : Tue Nov 30 2010 - 18:32:42 CST