ICANN/GNSO GNSO Email List Archives

[council]


<<< Chronological Index >>>    <<< Thread Index >>>

[council] Re: Registry Constituency IDN communiqué


Quoting Bruce:

You might like to include some specific examples of two identifiers (names) that could look the same, and explain how a registry would avoid the problem for each example.

One of the Unicode Consortium's responses to the current situation was the release of an unscheduled revision of a draft technical report on 'Security Considerations For The Implementation Of Unicode And Related Technology'. You will find it at:

        http://www.unicode.org/reports/tr36/tr36-2.html

This includes a richly illustrated 'everything anyone could possibly need to know' description of the homograph vulnerability. Unfortunately, it is as useful a how-to-do-it guide for malicious abusers as it is a basis for the TLD registries converging on a best-practice. It sketches a clear path along which we can proceed and highlights the urgency of our doing so. Determining whether or not that path is the best one for the gTLD registries to take (and if not, setting the alternative) is the next step in our constituency's action.

The Unicode draft is, however, nothing for the faint-hearted. The basis of IDN,is that every internationalized name exists in two formats, of which the one is displayed to the user in the full array of expected characters (Unicode), and the other is an encoded form (Punycode) that is only intelligible to purpose-designed software.

The initial design intent was for Punycode never to be revealed to users. However, a number of situations where it is, in fact, beneficial for a user to see Punycode have become apparent in the interim. One of them is that two names that may be graphically confused in their Unicode forms (the reason we're having this discussion in the first place) can readily be differentiated in Punycode.

I'll try to prepare a Punycode Primer over the weekend, which should make the Unicode draft more accessible. In the meanwhile you may wish to note that the Mozilla folks -- whose concern with this issue fired the debate -- have just released a version of their Firefox browser that addresses the issue by making the Punycode form of an IDN fully visible in the browser's status line, while retaining the Unicode form in the browser's address line. It's likely that other software developers will soon be doing the same.

It is up to us to ensure that nobody feels the need for more drastic measures. Although an elegant mode for the parallel presentation of Unicode and Punycode remains to be developed, encouraging action toward that end is clearly in the interests of any agency striving to globalize the Internet. Conversely, there is also a need to quell what remains the clear risk of the proponents of an anglophone DNS deciding that since they don't want/need/trust IDN, nobody gets to have it.

/Cary



<<< Chronological Index >>>    <<< Thread Index >>>