[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [idn] Chinese Domain Name Consortium (CDNC)Declaration
- To: Dave Crocker <dhc@dcrocker.net>,"Steven M. Bellovin" <smb@research.att.com>
- Subject: Re: [idn] Chinese Domain Name Consortium (CDNC)Declaration
- From: John C Klensin <klensin@jck.com>
- Date: Mon, 04 Feb 2002 11:01:15 -0500
- Cc: Elisabeth Porteneuve <Elisabeth.Porteneuve@cetp.ipsl.fr>,Marc.Blanchet@viagenie.qc.ca, ajm@icann.org, erin@twnic.net.tw, fred@cisco.com, harald@alvestrand.no,htk@eecs.harvard.edu, iab@ISI.EDU, idn@ops.ietf.org, iesg@ietf.org, jet-member@nic.ad.jp,jseng@pobox.org.sg, lynn@icann.org, mkatoh@mkatoh.net, mkatoh@wdc.fujitsu.com, mouhamet@next.sn,narten@us.ibm.com, nordmark@eng.sun.com, paf@cisco.com, phoffman@imc.org, qhhu@public.bta.net.cn,sharil@cmc.gov.my, shkyong@kgsm.kaist.ac.kr, vcerf@mci.net, alanysho@hkdnr.net.hk,christine.tsang@hkdnr.net.hk, deng@cnnic.net.cn, hlqian@cnnic.net.cn, hoho@iis.sinica.edu.tw,huangk@alum.sinica.edu, jasonho@umac.mo, lee@whale.cnnic.net.cn, mao@cnnic.net.cn, snw@twnic.net.tw,sstseng@twnic.net.tw, tsenglm@cc.ncu.edu.tw, whzhang@cnnnic.net.cn, wschen@twnic.net.tw,wuch@gate.sinica.edu.tw, yktham@umac.mo
- In-reply-to: <5.1.0.14.2.20020204073729.01b04328@127.0.0.1>
- References: <5.1.0.14.2.20020204073729.01b04328@127.0.0.1>
Dave,
I agree that there is no new risk here. The question is whether
or not it is desirable to expand that risk, perhaps into
populations that are less sensitive to it because they would,
naturally, be more trusting of texts that appear to be written
in their own languages (after not having seen those before).
And the answer to that question, I believe, must involve
weighing the tradeoffs between the value of the expanded name
space and the costs of the expanded risk. Believing that
question/ tradeoff is easy or obvious, is, I believe, naive,
regardless of the conclusion on reaches about the question
itself.
And I would hope that relevant documents coming out of the WG
would explicitly alert people to these risks.
john
--On Monday, 04 February, 2002 07:40 -0800 Dave Crocker
<dhc@dcrocker.net> wrote:
> Steve,
>
> At 09:35 PM 2/3/2002 -0500, Steven M. Bellovin wrote:
>> There'a a good discussion of the security risks of the code
>> point problem at
>> http://www.csl.sri.com/users/neumann/insiderisks.html#140
>
> homographic attacks are not new with the IDN effort.
>
> for example, MICROS0FT.COM was done.
>
> For that matter, choice of different top-level domains permits
> a degree of homographic attack. Try looking at dnso.com,
> rather than dnso.org. (No, this approach does not qualify
> precisely as homographic, but it takes advantage of a small
> difference from the real name, hoping that users will not
> notice. And it does work.)
>
> Hence, the IDN work does not introduce a new risk.
>
> d/