Non-English Domain Names Likely Delayed

Sun Jul 17 16:29:52 UTC 2005

Forwarded Message from Neil Harris <neil at tonal.clara.co.uk> ---

Fergie (Paul Ferguson) wrote:

>...sez Vint...due to the prevalence of phishing:
>
>http://www.msnbc.msn.com/id/8586332/
>
>- ferg
>
>

Paul,

I'm not registered as a poster on the Nanog list, so I thought I'd let 
you know that this problem is already well under control.

After extensive analysis and discussion, the Mozilla community and Opera 
have already produced a fix for this, based on only displaying Unicode 
IDN labels where the registry publishes and enforces well-defined 
anti-homograph policies, and displaying the Punycode equivalent 
otherwise. All that is needed is a couple of lines of code in the 
Punycode -> Unicode translation code in the application, and a whitelist 
of TLDs. See 
http://www.mozilla.org/projects/security/tld-idn-policy-list.html for 
more details. This delegates the responsibility of catching homographs 
to the registries, rather than trying to catch them using ad-hoc 
heuristics at the browser end.

In many cases, this can be as simple as restricting labels within a TLD 
to use a small set of non-confusable characters. In others, with wider 
character sets, techniques such as bundling and blocking sets of 
confusable labels using homograph tables can be used. RFC 3743 is a case 
in point. For an excellent summary of the technical details, which is 
intended to help anyone attempting to eliminate homographs from a naming 
system, see the latest, much-expanded, version of Unicode TR #36, which 
also links to machine-readable confusables tables. 
http://www.unicode.org/reports/tr36/

Already, some 21 TLDs are whitelisted, including .cn, .tw, a number of 
European ccTLDs, .museum, and .info. Any other registrars who want to be 
supported can simply E-mail Gerv at the Mozilla Foundation, or his Opera 
counterpart, and give them a pointer to their anti-spoofing rules.

You might want to summarize to the list.

-- Neil