From: CE Whitehead (cewcathar@hotmail.com)
Date: Tue Nov 30 2010 - 18:27:47 CST
> Date: Tue, 30 Nov 2010 15:33:03 +0900
> From: duerst@it.aoyama.ac.jp
> To: samjnaa@gmail.com
> CC: mark@macchiato.com; Shawn.Steele@microsoft.com; unicode@unicode.org; mmanivannan@gmail.com
> Subject: Re: Phishing and enforcing Confusables.txt
>
> On 2010/11/30 5:01, Shriramana Sharma wrote:
> > On Mon, Nov 29, 2010 at 11:24 PM, Mark Davis ☕<mark@macchiato.com> wrote:
> >> By "registry" I mean at any level. So just as .com regulates everything of
> >> the form xxx.bom, the entity responsible for .blogspot.com controls
> >> everything of the form xxx.blogspot.com. Thus there are literally millions
> >> of registries.
> >
> > Just so that nobody gets frightened and accuses Unicode of making
> > security problems for their script -- the above comment only means
> > that for all (of the millions of) websites example.com the owners of
> > example.com have the power to ensure that XXX.example.com is NOT
> > confusable with YYY.example.com. And the .com registry owners have the
> > same power to ensure that example.com is not confusable with
> > example2.com...
> >
> > Now the question is, is there only one owner of .com? ICANN? Who?
>
> "Owner" is a difficult term in the context of domain names. If the
> question is who is currently in control of .com, then this is easy to
> answer. The official list of all the top level registries is at:
> http://www.iana.org/domains/root/db/
> There you see that VeriSign Global Registry Services is in charge.
> http://www.iana.org/domains/root/db/com.html will give you more details.
>
> Ken mentioned registrars, but these are the front ends dealing with
> customer service,... Actual control is with the registries. A registrar
> can never register something that the registry in charge will not allow.
> There are some top level registries that also serve as their only
> registrars, and on the other hand, there are some top level registries
> that are served by many registrars. .com is of the later kind. I'd think
> that because of the popularity of .com, the number of registrars for
> .com may easily be the largest for any domain.
>
> A registrar can select to only register a subset of the domain names
> offered by the registry they serve (a registrar in India could refuse to
> register Greek domain names because they don't understand the Greek
> script well enough to provide a good service), but they cannot register
> anything that the registry won't allow.
>
> The relationship between ICANN and each registry varies. For some very
> new registries, ICANN has a strong control via contracts that they set
> up when they agreed to the creation of that domain. For some others,
> they are just giving advice. This applies to most country code top level
> domains, and also to very traditional domains such as .com.
>
> > If this entity chooses to enforce confusables (does it?) then
> > *wherever* a domain is registered it cannot be confusable with an
> > existing domain name? To be precise, if my old example of ಅರಗ.com is
> > registered in India, then అరగ.com cannot be registered *anywhere in
> > the world*?
>
> Yes, of course. The domain name system is global. Each domain (starting
> with what you could call 0-level domain, which contains the top level
> domains) only has one controlling entity. Each domain resolves the same
> way all around the world. If something is registered with .com, then as
> soon as you register it, e.g. with a registrar in India, it gets
> registered in the registry, i.e. with VeriSign.
>
> Because .com is very global in use, when IDNA started (and even before
> experimentally), VeriSign was registering domain names in all kinds of
> scripts. For a long time, they also allowed registration of mixed-script
> names. This lead to the "paypal scare", where a security researcher
> registered paypal.com with a Cyrillic 'a'.
>
> While ICANN cannot do much more than provide advice to most registries,
> some browser makers (in particular Mozilla) have tried to evaluate the
> policy of each top-level registry with regards to internationalized
> domain names, and use this to decide whether to show the domain name
> with real characters or encoded (using punycode). If you try in Firefox,
> you will see that అరగ.com and అరగ.ru show as punycode, but అరగ.jp and
> అరగ.рф show as characters in the address bar. (Non of them resolves, and
> in all cases, a "Network Error" page shows punycode.) For details,
> please see
> http://www.mozilla.org/projects/security/tld-idn-policy-list.html. This
> may lead to pressure on the registries to create (or publish) and update
> their registry policies.
>
> Regards, Martin.
>
Hi. Thanks for this info Martin.
Some registries lodge tables of permitted characters at iana; see:
http://www.iana.org/domains/idn-tables/
(the one lodged for the .sa domain Arabic language is well thought-out I think:
http://www.iana.org/domains/idn-tables/tables/sa_ar_1.0.html
both sets of digits are allowed but they are folded )
No table is lodged at iana for any language for .com; however --
and thanks for directing me to verisign for .com (I should have known verisign was the registry too as I have a .com)
-- there are lists of permitted characters at verisign (the other place you find tables of allowed characters besides iana is the registry itself):
http://www.verisign.com/domain-name-services/domain-information-center/idn-domains/character-variants/
Here (from the same page) are verisign's comments on similar-looking domain names (the example given is traditional and simplified Chinese domain names which may mean the same thing to some users):
". . . Verisign provides a list of permitted characters for some languages . . . - "
Verisign also uses language tags and requires that an idn be associated with a specific language with a character set that can be identified by a language tag (thus no mixed-script spoofing -- and I think Martin's comments seem to say this was a past issue) :
http://www.verisign.com/domain-name-services/domain-information-center/domain-name-resources/idn-valid-language-tags.pdf
So one option would be as Martin suggests to contact verisign regarding permitted characters for .com
Best,
--C. E. Whitehead
cewcathar@hotmail.com
> #-# Martin J. Dürst, Professor, Aoyama Gakuin University
> #-# http://www.sw.it.aoyama.ac.jp mailto:duerst@it.aoyama.ac.jp
>
This archive was generated by hypermail 2.1.5 : Tue Nov 30 2010 - 18:32:42 CST