[council] Re: Registry Constituency IDN communiqué

[Cary Karp <ck@nic.museum>]

Quoting Bruce:

> You might like to include some specific examples of two 
> identifiers (names) that could look the same, and explain how a 
> registry would avoid the problem for each example.
One of the Unicode Consortium's responses to the current situation 
was the release of an unscheduled revision of a draft technical 
report on 'Security Considerations For The Implementation Of Unicode 
And Related Technology'. You will find it at:
        http://www.unicode.org/reports/tr36/tr36-2.html

This includes a richly illustrated 'everything anyone could possibly 
need to know' description of the homograph vulnerability. 
Unfortunately, it is as useful a how-to-do-it guide for malicious 
abusers as it is a basis for the TLD registries converging on a 
best-practice. It sketches a clear path along which we can proceed 
and highlights the urgency of our doing so. Determining whether or 
not that path is the best one for the gTLD registries to take (and 
if not, setting the alternative) is the next step in our 
constituency's action.
The Unicode draft is, however, nothing for the faint-hearted. The 
basis of IDN,is that every internationalized name exists in two 
formats, of which the one is displayed to the user in the full array 
of expected characters (Unicode), and the other is an encoded form 
(Punycode) that is only intelligible to purpose-designed software.
The initial design intent was for Punycode never to be revealed to 
users. However, a number of situations where it is, in fact, 
beneficial for a user to see Punycode have become apparent in the 
interim. One of them is that two names that may be graphically 
confused in their Unicode forms (the reason we're having this 
discussion in the first place) can readily be differentiated in 
Punycode.
I'll try to prepare a Punycode Primer over the weekend, which should 
make the Unicode draft more accessible. In the meanwhile you may 
wish to note that the Mozilla folks -- whose concern with this issue 
fired the debate -- have just released a version of their Firefox 
browser that addresses the issue by making the Punycode form of an 
IDN fully visible in the browser's status line, while retaining the 
Unicode form in the browser's address line. It's likely that other 
software developers will soon be doing the same.
It is up to us to ensure that nobody feels the need for more drastic 
measures. Although an elegant mode for the parallel presentation of 
Unicode and Punycode remains to be developed, encouraging action 
toward that end is clearly in the interests of any agency striving 
to globalize the Internet. Conversely, there is also a need to quell 
what remains the clear risk of the proponents of an anglophone DNS
deciding that since they don't want/need/trust IDN, nobody gets to 
have it.
/Cary