Re: [idn] Re: nameprep, IDN spoofing and the registries

From: Erik van der Poel (erik@vanderpoel.org)
Date: Tue Feb 22 2005 - 11:41:37 CST

Next message: Hans Aberg: "Re: [idn] IDN spoofing"

Previous message: Asmus Freytag: "Re: mail archives (was: wiki?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

>>As George points out, the registries are going to have to start
>>filtering IDN lookalikes, otherwise they will eventually face
>>lawsuits from the "big boys" (as George so delightfully puts it).
>
> Quite the opposite: according to our lawyer, if the process is
> completely automatic (no human eyes involved), you can disclaim any
> responsability. But if you do screen, you accept a liability if the
> screening fails (and it will fail, trying to catch homographs is an
> hopeless task).
>
> I seriously doubt that european registries, which all moved from a
> "screen every domain to check if it is legal" model to a "accept
> anything" model in the '90s will go back...

Chuckle. That's funny. Here I am telling a mathematician to think more
like a network engineer, then I turn around and say something about law
even though I'm not a lawyer!

Seriously, I did not say that human eyes would do the filtering (though
of course humans would have to come up with the policies and code to do
the filtering).

So, if a registry can claim that it can disclaim responsibility for
spoofing *because* it is using an automatic registration process, then
wouldn't it be possible for someone (or a class action) to claim that
their automatic process isn't good enough? I mean, we all know where the
obvious homographs are, and any engineer can tell you that it is easy to
write a program to generate all the spoofs from those, or to filter them.

This may be a gray area that I believe Peter may have been referring to
when he said that in some countries it might be possible to force the
registry to change.

As it turns out, mozilla.org has also discussed the idea that Mozilla
may not want to try to solve the IDN spoofing problem, since it cannot
accept the legal responsibility for doing so.

Is the Unicode Consortium now also going to say "Sorry, we cannot
provide homograph tables because we cannot be held responsible for any
spoofing that may occur."?

Is everyone just going to pass the buck? How sad.

By the way, not all European registries "accept anything". Some of them
are checking a character inclusion table to see if the domain name is
allowed. What do you say to this?

Erik

Next message: Hans Aberg: "Re: [idn] IDN spoofing"
Previous message: Asmus Freytag: "Re: mail archives (was: wiki?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.5 : Tue Feb 22 2005 - 11:42:19 CST