Re: [apps-discuss] CONTEXTJ in TLD DNS-Labels (draft-liman-tld-names-05)

"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Wed, 20 July 2011 07:42 UTC

Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B7F021F8A56 for <apps-discuss@ietfa.amsl.com>; Wed, 20 Jul 2011 00:42:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.751
X-Spam-Level:
X-Spam-Status: No, score=-99.751 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzFCJ8DALWh3 for <apps-discuss@ietfa.amsl.com>; Wed, 20 Jul 2011 00:42:00 -0700 (PDT)
Received: from acintmta01.acbb.aoyama.ac.jp (acintmta01.acbb.aoyama.ac.jp [133.2.20.33]) by ietfa.amsl.com (Postfix) with ESMTP id 80A2821F889F for <apps-discuss@ietf.org>; Wed, 20 Jul 2011 00:41:53 -0700 (PDT)
Received: from acmse01.acbb.aoyama.ac.jp ([133.2.20.226]) by acintmta01.acbb.aoyama.ac.jp (secret/secret) with SMTP id p6K7fiZw020396 for <apps-discuss@ietf.org>; Wed, 20 Jul 2011 16:41:45 +0900
Received: from (unknown [133.2.206.133]) by acmse01.acbb.aoyama.ac.jp with smtp id 5574_3839_b788208a_b2a3_11e0_a54d_001d096c5b62; Wed, 20 Jul 2011 16:41:44 +0900
Received: from [IPv6:::1] ([133.2.210.5]:55352) by itmail.it.aoyama.ac.jp with [XMail 1.22 ESMTP Server] id <S1530FE8> for <apps-discuss@ietf.org> from <duerst@it.aoyama.ac.jp>; Wed, 20 Jul 2011 16:41:44 +0900
Message-ID: <4E268688.9040209@it.aoyama.ac.jp>
Date: Wed, 20 Jul 2011 16:40:56 +0900
From: =?UTF-8?B?Ik1hcnRpbiBKLiBEw7xyc3Qi?= <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4
MIME-Version: 1.0
To: =?UTF-8?B?UGF0cmlrIEbDpGx0c3Ryw7Zt?= <patrik@frobbit.se>
References: <B464B2C6607E04FD0572AA74@192.168.1.128> <CANp6Ttw4MaAJy2VRvZ8929oBju9jL3b69PkSyFLi-SC4YaNTnw@mail.gmail.com> <5AC1318B-A219-4056-BD14-C90BEE85669E@frobbit.se> <8159C20D-BF2B-42CB-9529-C870A2AD1572@vpnc.org> <E7E5E31E-89E7-46AF-9FA8-6CFD8F661376@frobbit.se> <C6CF1575-D301-4802-B877-8130781B268B@vpnc.org> <640EE2B8-AB0B-40E5-9815-4A6A5E20FA79@frobbit.se>
In-Reply-To: <640EE2B8-AB0B-40E5-9815-4A6A5E20FA79@frobbit.se>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, apps-discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] CONTEXTJ in TLD DNS-Labels (draft-liman-tld-names-05)
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 07:42:04 -0000

On 2011/07/20 15:34, Patrik Fältström wrote:
>
> On 19 jul 2011, at 21.49, Paul Hoffman wrote:
>
>> We have already seen the perceived need for these characters in the root zone, and we have not seen any statement of how they can cause harm *in the root zone*. "Phishing" in the root zone, given the horrendous weight of the process for getting new names put in the root zone, is not a threat. Which others do you believe that need to be weighed against the value of the characters?
>
> Yes, phishing in the root zone. People putting URLs on web pages that you click on.
>
> It is tons of code easier in various applications to "know" that a code point is either allowed or not allowed in the TLD than having context dependent rules that otherwise is the option.
>
> So the question is whether security software can filter out URLs with ZWNJ in the TLD as dangerous or not.

I'm with Paul on this here. The root zone is really special. Look at .py 
(Paraguay) vs. .ру (Cyrillic, .ru when transliterated to Latin, probably 
the first candidate everybody was thinking about for Russia) and .рф 
(Cyrillic again, .rf when transliterated, standing for 'Russian 
Federation').

Phishing wasn't avoided by any specific rule except "check 
manually/visually if there's a potential for confusion, and if there is, 
try something else".

Labels in a TLD postition that contain a ZWNJ are either existing in the 
root zone, or they are not. If they are not actually existing in the 
root zone, then there is no danger of phishing. If they are actually 
existing, then they either have been checked using the rule in the 
previous paragraph, or they haven't been checked. If they have been 
checked, then they can't be used for phishing (*). If they haven't been 
checked, then there's a potential for phishing, but that's because due 
diligence was neglected, completely independent of ZWNJ.

The draft in question basically says: "We had this implicit rule that 
TLDs don't contain digits or hyphens. For IDNs, we need to relax it on 
the A-Label level, but introduce it on the U-Label level." It then goes 
and translates that into "general category { Ll, Lo, Lm, Mn }". This 
essentially means that virtually nobody in the IETF or ICANN (and very 
few people on the Unicode side) can understand that, or can judge the 
consequences. Also, while I don't think there is any need whatsoever to 
have TLDs with digits in them, I don't really see any technical need to 
prohibit those (except for all-digit TLDs, which would be a really bad 
idea).

Regards,   Martin.


(*) There's also the case that people confuse totally different things 
by accident and get phished that way. An example would be somebody 
spamming www.aoyama.ac.jp with www.aoyama.ac.ja (jp vs. ja). But this 
kind of stuff is already possible now, and excluding ZWNJ doesn't make 
it better.