Re: [idn] punctuation

[John C Klensin <klensin@jck.com>]

--On Thursday, 24 February, 2005 11:54 -0800 Erik van der Poel
<erik@vanderpoel.org> wrote:

> John C Klensin wrote:
>> We can try
>> to restrict characters that are clearly dangerous, adopting,
>> if necessary, a view that the fact someone wants to register
>> or use a particular string doesn't mean that they are
>> entitled to do so.
> 
> You can write RFCs, move them to STD status, and jump up and
> down all you want, but you can't stop domain name owners from
> creating "deep" sub-domains with deceptive names that make the
> important part of the name go off the end of the display area.

Of course not.  But there are several separate problems here.
For example:

	(i) No one _makes_ an application author write things so
	that "go off the end of the display area" is an option.
	It may or may not be worth it, but there are all sorts
	of ways to design a UI so that things wrap, scroll,
	pop-up, warn, or are otherwise accessible from end to
	end.  It seems to me that convincing your favorite
	applications author to not let long FQNS disappear
	off-screen is likely to be a lot easier than turning
	domain names around (see below).
	
	(ii) The Internet has never had a presentation layer,
	and the IETF and its predecessors have never tried to
	standardize one or what happens in it.  To some extent,
	many of the issues with URIs/IRIs, IDNs, etc., suggest
	that may have been a mistake.  But we just haven't gone
	in that direction and starting to do so now would be a
	pretty big deal.  A presentation layer might solve this
	problem because a user could then specify how various
	things are to be displayed.  Without it, and without
	common operating system or utility library interfaces
	for these things that everyone uses, one risks having
	one application use one display order and another
	application, on the same host and for the same user, use
	a different one.    That would create a mess and its own
	set of risks; see below.

>> We
>> can use the UDRP and/or the legal system in various countries
>> to push back on those who register deceptive names and on the
>> registrars and registries that encourage the registration of
>> such names.
> 
> The registrars and registries are not the problem. The domain
> name owners are. If a poor individual has created a deceptive
> name that hurts a huge company, that company may go after
> Microsoft (since it has deep pockets) instead of the poor
> person.

As I have said before, there is no magic bullet solution to this
group of problems.  And, for the zones that are under their
control, the registries are the problem (for some part of the
broader problem) because they are in a position to prohibit
unacceptable registrations .. as they have done for years in
prohibiting names that aren't "hostname" (LDH)-conformant.  That
conformance is not not now, and has never been, a DNS protocol
requirement.
 
> So, the apps' current way of displaying the domain name
> (right-to-left) in left-to-right cultures is the problem. I
> tried to make the case that this is even a problem in the
> ASCII DNS (regardless of IDN), since hyphens are allowed in
> most DNS implementations. I wonder if a phisher would only
> have to change their own DNS server to get other characters
> (like ASCII slash '/') into the names? Or would many of the
> DNS clients refuse to lookup names containing such characters?
> (I tried to create a name containing ASCII slash yesterday,
> but my DNS server wouldn't accept it.)

There are people who would claim that your DNS server is broken
-- see RFC 2181.

However... 

The reality is that whether DNS names were to be treated as
big-endian or little-endian was hotly developed when the DNS was
first being designed and, if I recall what I was told, actually
changed once or twice.  Plus or minus a bit, for every argument
that it should be one way, there was an argument that it should
be the other.  For example, while you would like to see
com.mumblefraz.foo so as to detect issues the TLD chosen, it is
equally the case that, for many of us in daily use, the
distinction between foo.mumblefraz.com and bar.mumblefraz.com is
more important.

Regardless of how one might toss that particular coin, it has
been tossed.  We have a huge deployed base of the current order
and, even worse than software issues, the current order has been
imprinted on the consciousness of a lot of folks who don't
really know what a domain name is.  Due to the intersection of
old JANET Coloured Book names with DNS names, we also have
considerable experience trying to operate an Internet in which
some names run from left to right and others run from right to
left.  It wasn't a lot of fun and sometimes people (and
software) made mistakes: a domain name like uk.ac.ucl.bar.com
was a public nuisance or worse.

So, like it or not, I think you had best let this one go and get
used to it.  FWIW, my ordering preference is the same as yours.
But, if I were to make a list of the Internet design decisions
that, in retrospect, I would have been happier if they had been
made some other way, this one wouldn't make the top ten.  And I
suspect that opinion would be consistent with a poll of either
users or protocol designers, had such a poll been held.   (Also,
FWIW, "not having domain names in URLs at all" would be close to
the top of my list.)

   john