Does anyone have anything useful to say to secsac on this? Reply to me; I'll forward.
------- Forwarded Message
Return-Path: <owner-secsac@icann.org>
Received: from 127.0.0.1 [127.0.0.1]
by localhost with IMAP (fetchmail-6.2.4)
for smb@localhost (single-drop); Tue, 14 Oct 2003 06:47:28 -0400 (EDT)
Received: via tmail-2000(13) for smb; Tue, 14 Oct 2003 06:44:35 -0400 (EDT)
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102])
by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h9EAiZZ18920
for <smb@bigmail.research.att.com>; Tue, 14 Oct 2003 06:44:35 -0400 (EDT)
Received: by mail-blue.research.att.com (Postfix)
id 8E1F0B8352; Tue, 14 Oct 2003 06:36:54 -0400 (EDT)
Delivered-To: smb@research.att.com
Received: by mail-blue.research.att.com (Postfix, from userid 612)
id 8084DB835A; Tue, 14 Oct 2003 06:36:54 -0400 (EDT)
Received: from janus (fpfw.research.att.com [135.207.1.2])
by mail-blue.research.att.com (Postfix) with SMTP id A50B3B8352
for <smb@research.att.com>; Tue, 14 Oct 2003 06:36:53 -0400 (EDT)
Received: from mail-pink.research.att.com ([192.20.225.111]) by janus; Tue, 14 Oct 2003 06:44:34 -0400 (EDT)
Received: from greenriver.icann.org (greenriver.icann.org [192.0.35.121])
by mail-pink.research.att.com (Postfix) with ESMTP id 1074E582CC
for <smb@research.att.com>; Tue, 14 Oct 2003 06:40:44 -0400 (EDT)
Received: (from majordomo@localhost)
by greenriver.icann.org (8.11.6/8.11.6) id h9EAhOB07538;
Tue, 14 Oct 2003 03:43:24 -0700
Received: from pechora.icann.org (pechora.icann.org [192.0.34.35])
by greenriver.icann.org (8.11.6/8.11.6) with ESMTP id h9EAhOb07535
for <secsac@greenriver.icann.org>; Tue, 14 Oct 2003 03:43:24 -0700
Received: from EXECDSL.COM (ns.execdsl.net [208.184.15.238])
by pechora.icann.org (8.11.6/8.11.6) with ESMTP id h9EAjDW16094
for <secsac@icann.org>; Tue, 14 Oct 2003 03:45:13 -0700
Received: from [66.92.150.17] (HELO SCROCKER)
by EXECDSL.COM (CommuniGate Pro SMTP 3.3)
with ESMTP id 5620069; Tue, 14 Oct 2003 06:43:23 -0400
From: "Steve Crocker" <steve@stevecrocker.com>
To: <secsac@icann.org>
Subject: [secsac] RE: Verisign SiteFinder DNS trickery and IDN
Date: Tue, 14 Oct 2003 06:42:41 -0400
Message-ID: <007b01c3923f$e49c7680$0affa8c0@SCROCKER>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
In-Reply-To: <Pine.GSO.4.58.0310132334010.5993@hilton.cec.wustl.edu>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
Importance: Normal
X-MIME-Autoconverted: from quoted-printable to 8bit by greenriver.icann.org id h9EAhOb07536
Sender: owner-secsac@icann.org
Precedence: discussion
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by bigmail.research.att.com id h9EAiZZ18920
X-Spam-Status: No, hits=-6.3 required=5.0
tests=BAYES_10,IN_REP_TO,QUOTED_EMAIL_TEXT
version=2.55
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
SECSAC folks,
My goodness! See Dag Øien's message below re interaction betwene wild cards and IDN. This is definitely tangled.
It seems to me we need to ask VeriSign about this, but I don't enough
knowledge to pose the question or interpret the answer. Who is familiar
with the IDN impmlementation? John?
Thanks,
Steve
-----Original Message----- From: Ari E-B [mailto:Ari@Elias-Bachrach.com] Sent: Tuesday, October 14, 2003 12:36 AM To: steve@shinkuro.com; pmott@gwu.edu; galvin@elistx.com; mstjohns@mindspring.com Subject: Re: Verisign SiteFinder DNS trickery and IDN
Does the wildcard kill Internationalized domain names? and just for reference: http://www.ietf.org/internet-drafts/draft-hoffman-rfc3490bis-00.txt
On Thu, 25 Sep 2003, [ISO-8859-1] Dag Øien wrote:
HelloSiteFinder DNS
I would like you to investigate the confusion Verisign'trickery creates when the international internet communitynow is onthe brink of introducing IDN.more confusion
It seems to me that Verisign's DNS trickery will createfor developers trying to implement IDN into theirapplications and DNSresolvers.øien.net, which in
I own the domain oien.net. My last name is actually Øien with an O-slash, so I have also registered the domain nameresolves to someVerisign's IDN-testbed was encoded bq--ad4gszlo.net. However this domain name never actually resolved in DNS, but nowVerisign's DNSnon-functional Verisign service. bq--ad4gszlo.mltbd.net resolves in DNS to the correct hyp.net nameservers. By the way ofthe varioustrickery, DNS-queries to øien.net - using ISO-8859-1 charset in the query - currently resolves to some Verisign service. Soon bq--ad4gszlo.net is to be converted into the correct punycode translation: xn--ien-zna.net. After the conversion it may not yet resolve in DNS. Queries to www.bq--ad4gszlo.net might lead me to SiteFinder, perhaps - depending on the trcks employed by Verisign.
Trying to figure out DNS now requires one to keep track ofbusiness practice tricks implemented by Verisign. This isnot ideal innormal circumstances, and specially not now when the worldis finallyracing to implement IDN properly in DNS.the .com
My opinion is that Verisign is a threat to the stability ofand .net zones, and that their tricks combined with theintroductionmislead peopleof IDN risk returning ambiguous or incorrect data in a time of critical importance for the implementation of IDN, andto non-functional Verisign web-services confusing potentialusers evenmore.should as soon
This is a scandal, really. My opinion is that Verisign should immidiately ordered to stop their DNS-trickeries, andas possible be relieved of their duties maintaining theroot zones for.com and .net.
regards
Dag Øien, Oslo, Norway
------- End of Forwarded Message
--Steve Bellovin, http://www.research.att.com/~smb