Return-Path: <cyrus@eikenes.alvestrand.no>
Received: from eikenes.alvestrand.no ([unix socket])
	by eikenes.alvestrand.no (Cyrus v2.1.11-Mandrake-RPM-2.1.11-1mdk) with LMTP; Tue, 08 Feb 2005 15:30:15 +0100
X-Sieve: CMU Sieve 2.2
Return-Path: <ietf-bounces@ietf.org>
Received: from localhost (localhost.localdomain [127.0.0.1])
	by eikenes.alvestrand.no (Postfix) with ESMTP id A739561BA7
	for <harald@alvestrand.no>; Tue,  8 Feb 2005 15:30:15 +0100 (CET)
Received: from eikenes.alvestrand.no ([127.0.0.1])
 by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 24003-06 for <harald@alvestrand.no>;
 Tue,  8 Feb 2005 15:30:12 +0100 (CET)
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71])
	by eikenes.alvestrand.no (Postfix) with ESMTP id 99F3F61B95
	for <harald@alvestrand.no>; Tue,  8 Feb 2005 15:30:12 +0100 (CET)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org)
	by megatron.ietf.org with esmtp (Exim 4.32)
	id 1CyWHJ-0001ph-7x; Tue, 08 Feb 2005 09:23:45 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org)
	by megatron.ietf.org with esmtp (Exim 4.32) id 1CyWCS-0000TG-0R
	for ietf@megatron.ietf.org; Tue, 08 Feb 2005 09:18:44 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1])
	by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA11712
	for <ietf@ietf.org>; Tue, 8 Feb 2005 09:18:42 -0500 (EST)
Received: from montage.altserver.com ([63.247.74.122])
	by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CyWW2-0005c6-5w
	for ietf@ietf.org; Tue, 08 Feb 2005 09:39:00 -0500
Received: from lns-p19-19-idf-82-65-134-176.adsl.proxad.net ([82.65.134.176]
	helo=jfc.afrac.org) by montage.altserver.com with esmtpa (Exim 4.43)
	id 1CyWCN-00079W-IC; Tue, 08 Feb 2005 06:18:41 -0800
Message-Id: <6.1.2.0.2.20050208145906.0d03b3c0@mail.jefsey.com>
X-Sender: jefsey+jefsey.com@mail.jefsey.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0
Date: Tue, 08 Feb 2005 15:18:10 +0100
To: John C Klensin <john-ietf@jck.com>
From: "JFC (Jefsey) Morfin" <jefsey@jefsey.com>
In-Reply-To: <CB4CC5F257CA4E86A0A9C9F8@scan.jck.com>
References: <200502081241.j18CfY3F011450@bartok.nlnetlabs.nl>
	<CB4CC5F257CA4E86A0A9C9F8@scan.jck.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - montage.altserver.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jefsey.com
X-Scan-Signature: b5d20af10c334b36874c0264b10f59f1
Cc: ietf@ietf.org
Subject: Re: IDN security violation? Please comment
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>,
	<mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>,
	<mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
X-Virus-Scanned: by amavisd-new at alvestrand.no

Dear John,
you are right the lack of the really requested IRI in the bar is a true 
problem. But this would we appealing for babel-names (the IDNs which 
transcode in xn--squatting names such as "http://xn--cocacola.com").

Could not a correct solution be to have an option warning the 
user/preventing the use when the IRI's IDN part does not use codes 
belonging to the used language ccTLD IDN table?

This is because a ccTLD will have exactly the same homograph problems in 
domain name registration, so IDN Tables codes are expected to be/to adapt 
to what a usual script reader can expect (possibly on a country culture 
basis). I fully understand that gTLD may not enforce that and that IDN 
permits 3LD to be freely built, but this seems consistent with the ICANN 
recommendations. I also fully understand that this creates a confusion with 
the "RFC 3066bis" draft which did not wanted to consider that kind of issue 
and stay generic. We not only meet in DNS, but also in any text oriented 
formatted exchange (mail?) and application firewalling service (starting 
with OPES or sieve?).

jfc



On 14:39 08/02/2005, John C Klensin said:


>--On Tuesday, 08 February, 2005 13:41 +0100 Jaap Akkerhuis
><jaap@NLnetLabs.nl> wrote:
>
> >     May be IDN specialists will want to comment this.
> >     http://www.shmoo.com/idn/homograph.txt
> >
> > This is nothing new, analog to YAHOO.COM and YAH00.COM.
>
>Well, it is a little worse because there are tools that make
>detection of the YAH00.COM problem and its relatives pretty easy
>and those tools are widely understood.  For example, forcing
>those domain names to lower case makes them very distinguishable
>(yahoo.com and yah00.com) are pretty clearly different) and
>using fonts that make zeros and "o"s, ones and "l"s, etc.,
>clearly different helps a lot too.
>
>With IDNs, the simple fact that there are tens of thousands of
>characters with which one can try to create confusion, rather
>than 37 or so, means there are going to be more "opportunities".
>What is more important, perhaps, is that we just don't have the
>experience with the design of user interfaces that make problem
>detection easy.   For example, the moment I touched the Firefox
>cursor to the examples at the examples at
>http://www.shmoo.com/idn/, I realized that I really wanted to
>see the punycode in the status line as well as the "native
>character" rendering.  That hadn't occurred to me before,
>despite having been thinking about the problems long enough to
>have had precisely this Roman-A versus Cyrillic-A example on a
>slide in a talk I gave in March of 2001.
>
>There have been other suggestions along the line that would help
>although the community (with some notable exceptions) hasn't
>been good at deploying them and the IETF decided (perhaps
>appropriately, perhaps not) that they were someone else's
>problem.  For example, Mark Davis made a suggestion early on
>that registration of labels containing mixed scripts be
>prohibited.  If that had been done in the relevant zone, this
>particular attack would have been impossible.  A corollary to
>his suggestion might be a warning message from software that
>interfaces with users that would flag mixed-script labels and
>put up warnings.
>
>Just as with the YAH00.COM case, no single measure is going to
>"fix" or prevent the various problems we can encounter with
>IDNs.  But a combination of some thinking, good policies,
>adapting tools on the basis of experience, and the level of user
>vigilance that seems a requirement for being attached to the
>Internet at all these days ought to permit us to use IDNs at
>risk comparable to that for LDH-style ASCII names.
>
>I can only hope that our colleagues at Mozilla will rapidly
>supercede their apparent advice to disable IDNs --advice that
>seems to me to be equivalent to "you should be happy just using
>English"-- with patches or extensions that enable punycode
>display in addition to native-script display in the status line
>and that they consider warnings about mixed-script labels.
>And, while I am engaging in hope, I hope that the other
>browser-producing teams will get with the program: The IESG has
>warned, I have warned, Mark has warned, and innumerable others
>have warned, that a compliant implementation of IDNA is _not_
>sufficient for a competent implementation of IDNs.  This
>particular problem, however exciting, is just another example of
>that general principle.
>
>    john


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf