Re: [idn] nameprep2 and the slash homograph issue
"JFC (Jefsey) Morfin" <jefsey@jefsey.com> Wed, 23 February 2005 17:14 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA13470 for <idn-archive@lists.ietf.org>; Wed, 23 Feb 2005 12:14:14 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.44 (FreeBSD)) id 1D401x-000Mi5-MS for idn-data@psg.com; Wed, 23 Feb 2005 17:10:33 +0000
Received: from [63.247.74.122] (helo=montage.altserver.com) by psg.com with esmtp (Exim 4.44 (FreeBSD)) id 1D401v-000MhV-7r for idn@ops.ietf.org; Wed, 23 Feb 2005 17:10:31 +0000
Received: from if12m4-235.d2.club-internet.fr ([212.195.66.235] helo=jfc.afrac.org) by montage.altserver.com with esmtpa (Exim 4.44) id 1D401t-0003Jf-D4; Wed, 23 Feb 2005 09:10:30 -0800
Message-Id: <6.1.2.0.2.20050223175234.0355d270@mail.jefsey.com>
X-Sender: jefsey+jefsey.com@mail.jefsey.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0
Date: Wed, 23 Feb 2005 18:02:26 +0100
To: John C Klensin <klensin@jck.com>, IETF idn working group <idn@ops.ietf.org>
From: "JFC (Jefsey) Morfin" <jefsey@jefsey.com>
Subject: Re: [idn] nameprep2 and the slash homograph issue
In-Reply-To: <D872CCF059514053ECF8A198@scan.jck.com>
References: <421B8484.3070802@vanderpoel.org> <20050223072837.GA21463~@nicemice.net> <D872CCF059514053ECF8A198@scan.jck.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - montage.altserver.com
X-AntiAbuse: Original Domain - ops.ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - jefsey.com
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on psg.com
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00, MAILTO_TO_REMOVE autolearn=ham version=3.0.1
Sender: owner-idn@ops.ietf.org
Precedence: bulk
John, your proposition makes more sense than Adam as kludges do not escalate, and when you start censoring you never know where you will have to stop, and I do not know how you can enforce it. But your proposition is not the panacea. 1) it is meant only for registration. So it is for TLD Registry Managers or goodwill registrants (for 3+LD). They are ignorant, lazzy, opposed or accepting, but they do not oppose. So the real problem is not with them but with phishers. 2) your poposition is to have an oline correction of the problem. Some Registry may like it, some not. I would have strong objections because it complexifies the user support. But we can try it. This is why I asked the solution I asked and asked if a Perl program existed to test a correction at registration. Actually I repeat that all the propositions to change what the user can see is user hurting. The need for the click to send a request which the one the user want, not the one the phisher want. IMHO one does not increase security in hiding the existand of the danger, one increases the risks. jfc At 09:39 23/02/2005, John C Klensin wrote: >--On Wednesday, 23 February, 2005 07:28 +0000 "Adam M. Costello" ><idn.amc+0@nicemice.net.RemoveThisWord> wrote: > > > Erik van der Poel <erik@vanderpoel.org> wrote: > > > >> Another argument against banning the slash homograph is that > >> any new banning would require a new ACE prefix, which is a > >> lot of work, and, as John said, there should be a high > >> threshold for any demonstration that tries to show that a new > >> prefix is necessary. > > > > An alternative, rather than banning the character, is to > > recommend that it not be shown; the ACE form could be shown > > instead. This would effectively make the character useless in > > domain names (for both phishers and honest folks) without > > requiring a new ACE prefix. > > > > We could push ToUnicode down inside a wrapper function, > > ToDisplay. Applications would never call ToUnicode directly > > anymore. Whenever they wanted to display a domain name, > > they'd call ToDisplay, which would call ToUnicode, check the > > result, and if it didn't like it, call ToASCII. (Of course, > > since ToUnicode typically calls ToASCII, there are > > opportunities to optimize that logic.) > >Adam, there are two problems with this. First, it effectively >dictates UI behavior, which is generally a bad idea. It is a >particularly bad idea in this case because you are proposing the >sort of UI behavior that generates a lot of very confused >questions and trouble reports, which is something no sane >implementer wants. And "won't display" is not the right answer >on the registration side of the process, even if it were right >on the lookup side. The second problem is that it is a kludge, >and that inserting kludges into critical protocols or procedures >--and IDNs are certainly critical-- almost always turns out to >be a seriously bad idea sooner or later. > >If we find a need to start banning characters that we could not >agree on banning the first time around, there is another >approach, also unpleasant but IMO less problematic, that could >be considered. Just as RFC 2822 moved past a lot of legacy >nonsense by having two separate "create" and "accept" syntaxes, >we could define an additional profile, say "NameRegisterPrep". >It would look a lot like Nameprep but would ban the characters >you are now suggesting banning, plus, based on what I think is >growing experience in the registries, ban any character that >mapped to anything else. The effect would be to permit only >those code points as input to the registration process that >could be output into punycode and the DNS. Several registries >have adopted the latter part of that model already: basically >what you register is ToASCII(string) and/or >ToUnicode(ToASCII(string)), but never "string". The lookup >process would remain the same, with no changes to Nameprep being >made at all. And, by eliminating all of the mapping tables and >replacing them with prohibitions, it would make the question >"can this character appear in an IDN" a great deal less >complicated, which would certainly be an advantage. > >This type of registration restriction is rather different from >our asking/expecting ICANN and the registries to adopt rules >about, e.g., mixed-script registrations that would help people >stay out of trouble. For better or worse, ICANN has a great >deal less trouble asking (or demanding) that people conform to >the protocols than it does with making up a somewhat fuzzy >guideline and enforcing it. In the most extreme of cases, >violating a protocol in a significant way is one of those "not >acting in the best interests of the local users and the Internet >community" that RFC 1591 warns against and indicates could be >grounds for redelegating a registry. > >It would leave the registries and ICANN stuck with the problem >of what to do about anything that was now registered which >violated the new rules, but that problem would exist for _any_ >substantive change we made. > > john
- [idn] related work Erik van der Poel
- [idn] Unicode categories Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue JFC (Jefsey) Morfin
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue John C Klensin
- Re: [idn] nameprep2 and the slash homograph issue Adam M. Costello
- Re: [idn] something a little lighter for the week… Doug Ewell
- Re: [idn] stability Erik van der Poel
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: process Adam M. Costello
- Re: [idn] punctuation John C Klensin
- Re: [idn] Re: stability JFC (Jefsey) Morfin
- Re: [idn] Re: character tables Gervase Markham
- Re: [idn] stringprep: PRI #29 Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Gervase Markham
- Re: [idn] Re: stability Erik van der Poel
- Re: [idn] process Paul Hoffman
- Re: [idn] Re: character tables YAO Jiankang
- Re: [idn] nameprep2 and the slash homograph issue JFC (Jefsey) Morfin
- Re: [idn] nameprep2 and the slash homograph issue Adam M. Costello
- Re: [idn] punctuation John C Klensin
- Re: [idn] punctuation tedd
- Re: [idn] Re: character tables JFC (Jefsey) Morfin
- Re: [idn] punctuation Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Gervase Markham
- Re: [idn] Re: stability Erik van der Poel
- Re: [idn] Re: character tables Adam M. Costello
- [idn] Re: character tables John C Klensin
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: stability JFC (Jefsey) Morfin
- Re: [idn] Re: character tables Paul Hoffman
- Re: [idn] Re: stability Martin v. Löwis
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: stability John C Klensin
- [idn] Re: Unicode categories John C Klensin
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- [idn] character tables Erik van der Poel
- Re: [idn] Re: character tables John C Klensin
- Re: [idn] Re: stability Mark Davis
- Re: [idn] Re: stringprep: PRI #29 Erik van der Poel
- [idn] stability Erik van der Poel
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: dichotomies JFC (Jefsey) Morfin
- Re: [idn] process Adam M. Costello
- Re: [idn] Re: character tables William Tan
- Re: [idn] Re: process James Seng
- [idn] Re: stability Simon Josefsson
- Re: [idn] stability Erik van der Poel
- [idn] Re: stability Martin v. Löwis
- Re: [idn] Re: process Jaap Akkerhuis
- Re: [idn] Re: stringprep: PRI #29 Adam M. Costello
- Re: [idn] punctuation tedd
- [idn] Re: dichotomies Erik van der Poel
- Re: [idn] Re: stability Martin v. Löwis
- Re: [idn] punctuation Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] process JFC (Jefsey) Morfin
- [idn] Re: stability Simon Josefsson
- Re: [idn] nameprep2 and the slash homograph issue JFC (Jefsey) Morfin
- [idn] Re: stringprep: PRI #29 Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Adam M. Costello
- Re: [idn] process John C Klensin
- Re: [idn] Re: Unicode categories Mark Davis
- Re: [idn] process Doug Ewell
- Re: [idn] Re: stability Adam M. Costello
- Re: [idn] process Erik van der Poel
- [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] punctuation tedd
- [idn] punctuation Erik van der Poel
- Re: [idn] Re: stability James Seng
- [idn] Re: stability Simon Josefsson
- [idn] something a little lighter for the weekend Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] something a little lighter for the week… Adam M. Costello
- Re: [idn] process Gervase Markham
- [idn] Re: character tables Cary Karp
- [idn] Mozilla? JFC (Jefsey) Morfin
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] punctuation Erik van der Poel
- [idn] Re: Unicode categories Erik van der Poel
- [idn] Re: stability Simon Josefsson
- Re: [idn] Re: character tables JFC (Jefsey) Morfin
- [idn] Re: process Stephane Bortzmeyer
- Re: [idn] process Erik van der Poel
- Re: [idn] punctuation Jaap Akkerhuis
- Re: [idn] Re: character tables Gervase Markham
- Re: [idn] Re: process Jaap Akkerhuis
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] Re: process James Seng
- [idn] stringprep mailing list Erik van der Poel
- Re: [idn] Re: dichotomies Erik van der Poel
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- Re: [idn] Re: stability Erik van der Poel
- Re: [idn] Re: character tables Erik van der Poel
- Re: [idn] Re: stability JFC (Jefsey) Morfin
- Re: [idn] Re: process Erik van der Poel
- [idn] Re: stringprep: PRI #29 Simon Josefsson
- Re: [idn] punctuation Erik van der Poel
- Re: [idn] stability Martin v. Löwis
- [idn] stringprep: PRI #29 Erik van der Poel
- Re: [idn] Re: character tables Paul Hoffman
- Re: [idn] nameprep2 and the slash homograph issue Erik van der Poel
- [idn] Re: stability Simon Josefsson
- [idn] process Erik van der Poel
- [idn] stringprep: existing profiles and string pr… Erik van der Poel
- Re: [idn] Re: stability Erik van der Poel
- [idn] dichotomies Erik van der Poel
- Re: [idn] stability JFC (Jefsey) Morfin
- [idn] Re: character tables Cary Karp
- Re: [idn] Re: process Erik van der Poel
- [idn] Re: stringprep mailing list Simon Josefsson
- Re: [idn] Re: Unicode categories Martin v. Löwis
- Re: [idn] Re: stability JFC (Jefsey) Morfin
- Re: [idn] something a little lighter for the week… John C Klensin
- Re: [idn] something a little lighter for the week… Adam M. Costello
- Re: [idn] Re: dichotomies JFC (Jefsey) Morfin
- Re: [idn] Re: stability Erik van der Poel
- Re: [idn] Re: stability Erik van der Poel
- [idn] Re: stringprep: PRI #29 Simon Josefsson
- Re: [idn] stability Erik van der Poel
- [idn] Re: stringprep: PRI #29 Simon Josefsson