Re: [idn] who should be doing IDN filtering

[Paul Hoffman <phoffman@imc.org>]

At 9:58 AM +0000 2/17/05, Adam M. Costello wrote:
> I think registries should be doing filtering, but I don't think browsers
> should depend on it, because it's already too late, as the paypal
> example proves.  I think browsers (and in general, applications that
> receive domain names from untrusted sources and display them to the user
> as IDNs) ought to provide a second line of defense by trying to expose
> suspicious domain names.

I fully agree with Adam here. If there is no way to enforce 
registries doing the right thing (and ICANN has shown no ability to 
enforce nearly anything), then relying on them for security is silly. 
This is particularly true if some registries pay more attention to 
their customers who want to pay for  mixed-script domain names than 
they pay to ICANN.

>  > ...assuming we can make the language tag available via some dns tricks or
> >  some API...
>
> I don't see that happening.  The IDN working group decided quite
> deliberately that domain names would not contain any meta-info like
> language tags; they're just text strings.

Right. If you want to re-engineer the IDN bits-on-the-wire protocol 
in ways that were considered and rejected, feel free to submit a new 
Internet Draft and see if there is community interest.

> Still, I expect that some not-terribly-complex heuristics, based only
> on the bare character strings, could go a long way toward exposing
> suspicious domain names.

Reducing phishing is sufficient because we can never eliminate it.

--Paul Hoffman, Director
--Internet Mail Consortium