Re: [apps-discuss] CONTEXTJ in TLD DNS-Labels (draft-liman-tld-names-05)

["Martin J. Dürst" <duerst@it.aoyama.ac.jp>]

On 2011/07/20 15:34, Patrik Fältström wrote:
>
> On 19 jul 2011, at 21.49, Paul Hoffman wrote:
>
>> We have already seen the perceived need for these characters in the root zone, and we have not seen any statement of how they can cause harm *in the root zone*. "Phishing" in the root zone, given the horrendous weight of the process for getting new names put in the root zone, is not a threat. Which others do you believe that need to be weighed against the value of the characters?
>
> Yes, phishing in the root zone. People putting URLs on web pages that you click on.
>
> It is tons of code easier in various applications to "know" that a code point is either allowed or not allowed in the TLD than having context dependent rules that otherwise is the option.
>
> So the question is whether security software can filter out URLs with ZWNJ in the TLD as dangerous or not.

I'm with Paul on this here. The root zone is really special. Look at .py 
(Paraguay) vs. .ру (Cyrillic, .ru when transliterated to Latin, probably 
the first candidate everybody was thinking about for Russia) and .рф 
(Cyrillic again, .rf when transliterated, standing for 'Russian 
Federation').

Phishing wasn't avoided by any specific rule except "check 
manually/visually if there's a potential for confusion, and if there is, 
try something else".

Labels in a TLD postition that contain a ZWNJ are either existing in the 
root zone, or they are not. If they are not actually existing in the 
root zone, then there is no danger of phishing. If they are actually 
existing, then they either have been checked using the rule in the 
previous paragraph, or they haven't been checked. If they have been 
checked, then they can't be used for phishing (*). If they haven't been 
checked, then there's a potential for phishing, but that's because due 
diligence was neglected, completely independent of ZWNJ.

The draft in question basically says: "We had this implicit rule that 
TLDs don't contain digits or hyphens. For IDNs, we need to relax it on 
the A-Label level, but introduce it on the U-Label level." It then goes 
and translates that into "general category { Ll, Lo, Lm, Mn }". This 
essentially means that virtually nobody in the IETF or ICANN (and very 
few people on the Unicode side) can understand that, or can judge the 
consequences. Also, while I don't think there is any need whatsoever to 
have TLDs with digits in them, I don't really see any technical need to 
prohibit those (except for all-digit TLDs, which would be a really bad 
idea).

Regards,   Martin.


(*) There's also the case that people confuse totally different things 
by accident and get phished that way. An example would be somebody 
spamming www.aoyama.ac.jp with www.aoyama.ac.ja (jp vs. ja). But this 
kind of stuff is already possible now, and excluding ZWNJ doesn't make 
it better.