From: Erik van der Poel (erik@vanderpoel.org)
Date: Mon Feb 21 2005 - 13:02:20 CST
>>> All that this shows is that there is no easy answer to the spoofing
>>> problem. At least, a simplistic ban on mixed scripts doesn't work. A
>>> confusables mapping might provide a solution, but I have seen no good
>>> suggestions on how this might be presented to an end user.
>>
>> I have high hopes for Neil Harris' algorithm, involving looking for
>> strings that consist entirely of homographs, within a context where
>> those would not be expected. The feedback to the user could be to
>> simply leave those domain names in Punycode form. Hopefully, the user
>> will look at the domain name before typing in a credit card number.
>
> A good algorithm would certainly help. But presenting Punycode versions
> to the user would not. In fact it would be counter-productive in a
> Cyrillic environment, because an all-ASCII spoof (e.g. pycckoe.ru) of a
> genuine cyrillic name would appear unchanged in Punycode and so look
> like the real thing, whereas the real thing would become unreadable
> Punycode.
The .ru TLD is indeed a very interesting case (setting aside .com for
now). I would be very interested to hear what .ru has already done
and/or what they are thinking for the future (wrt IDN).
Peter, I hope that you have also been reading George Gerrity's recent
email on this list. Also an interesting discussion.
I currently see 2 ways to proceed. (There may be others.) One is to
simply disallow (in the registry) the Cyrillic Unicodes that look
similar to ASCII glyphs. The other is to bundle and/or block, as
described in George's email and Klensin's Internet Draft:
http://www.ietf.org/internet-drafts/draft-klensin-reg-guidelines-06.txt
Of course, all this still only addresses the registries. We still have
to consider the apps. Neil's solution may fit the bill as is, or it may
need some more tweaking to address cases like .ru. Neil?
Erik
This archive was generated by hypermail 2.1.5 : Mon Feb 21 2005 - 13:03:52 CST