IETF Logo Mail Archive

Re: [idn] nameprep2 and the slash homograph issue

Gervase Markham <gerv@mozilla.org> Wed, 02 March 2005 09:03 UTC

Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA15319 for <idn-archive@lists.ietf.org>; Wed, 2 Mar 2005 04:03:54 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.44 (FreeBSD)) id 1D6Pfp-0007nz-F6 for idn-data@psg.com; Wed, 02 Mar 2005 08:57:41 +0000
Received: from [193.201.200.34] (helo=tuschin.blackcatnetworks.co.uk) by psg.com with esmtp (Exim 4.44 (FreeBSD)) id 1D6Pfn-0007n4-KY for idn@ops.ietf.org; Wed, 02 Mar 2005 08:57:39 +0000
Received: from grmarkham.plus.com ([80.229.30.161] helo=[192.168.1.100]) by tuschin.blackcatnetworks.co.uk with asmtp (Exim 3.35 #1 (Debian)) id 1D6Pfl-00011n-00; Wed, 02 Mar 2005 08:57:37 +0000
Message-ID: <42257FA5.9060604@mozilla.org>
Date: Wed, 02 Mar 2005 08:56:05 +0000
From: Gervase Markham <gerv@mozilla.org>
Organization: mozilla.org
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Erik van der Poel <erik@vanderpoel.org>
CC: idn@ops.ietf.org
Subject: Re: [idn] nameprep2 and the slash homograph issue
References: <421B8484.3070802@vanderpoel.org> <20050223072837.GA21463~@nicemice.net> <D872CCF059514053ECF8A198@scan.jck.com> <20050223105244.GE21463~@nicemice.net> <421CA114.9090302@vanderpoel.org> <20050224081721.GB12336~@nicemice.net> <421DEDFF.2000300@vanderpoel.org> <4225A87B.7030204@mozilla.org> <42251159.1040300@vanderpoel.org>
In-Reply-To: <42251159.1040300@vanderpoel.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on psg.com
X-Spam-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00,WHY_WAIT autolearn=no version=3.0.1
Sender: owner-idn@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

Erik van der Poel wrote:
> Perhaps I was wrong to use the word "tool". There is a fundamental 
> tension between security and user-friendliness. 

Well, maybe. I'm not convinced the tension is absolute, but I agree you 
need to work very hard indeed to get both.

> A couple of questions/comments: It might be nice to have this 
> domain-only display even for non-secure sites (http).

We are probably going to change this for 1.1. It takes some careful 
thought so as not to confuse people.

> Also, do you know 
> what happens if the domain name is very long? 

It just gets very long, currently.

> Finally, do you have any 
> thoughts about the slash homograph problem? Thanks.

Well, the current domain indicator will show the domain, slash 
homographs and all. We're still developing our response, but it's likely 
that we'll have to blacklist this character. Opera's new beta already 
has a small set of characters it doesn't allow.

Ideally, we wouldn't be acting unilaterally on this one, and would be 
doing the restrictions based on consensus. But before we can go there, 
we need to figure out what we think is needed first. That process is 
still going on.

> Indeed, why wait? I filed a bug a while ago:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=282079

Thanks :-)

> My feeling is that a sans-serif font (such as Arial) places the 
> characters too close to each other and does not have the serifs that 
> often serve to distinguish the characters better. How about a fixed 
> width font with serifs, such as Courier New?

The issue, of course, is that the font designation we use has to produce 
a good font on all platforms. This isn't fundamentally impossible, it 
just requires work and testing.

Gerv

v2.23.0 | Report a Bug | By Email