Message-Id: <6.1.2.0.2.20050216143507.030d1cd0@mail.jefsey.com>
Date: Wed, 16 Feb 2005 15:09:43 +0100
To: "Kane, Pat" <pkane@verisign.com>
From: "JFC (Jefsey) Morfin" <jefsey@jefsey.com>
Subject: RE: [idn] homograph attacks
Cc: idn@ops.ietf.org
In-Reply-To: <A313262806CD3341AC59AB108137FC8F2F74E5@dul1wnexmb01.vcorp.
 ad.vrsn.com>
References: <A313262806CD3341AC59AB108137FC8F2F74E5@dul1wnexmb01.vcorp.ad.vrsn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
Sender: owner-idn@ops.ietf.org
Precedence: bulk

Dear Pat,
Thank you for your response. Let assume this list is the missing 
International coordination list.  As you know we are in a gray situation 
regarding the IANA and language tags. There is the RFC 3066 which accepts 
ISO 639 as a reference and which permits the language "specialists" (ISO 
and W3C) of the http://www.alvestrand.no/mailman/listinfo/ietf-languages 
mailing list to discuss missing languages. This is clean.

But then we have a confusion.

1. When you register a IANA tag, you are to register it by language, script 
and ccTLD. This is clear.

2. W3C discovered that a language tag by ISO 639 was not enough to describe 
an XML document. So they introduced two new ideas the IESG could buy: '(1) 
RFC 3066 language tags could become ISO 639+ISO 15924 script+ISO 3166 
country code (2) that _all_ the langtags should be resgitered, not only the 
additions. So, each language is known as a single version - what culture 
people shout at!

When explained the conflict with IDN they claimed they do not care. IMHO we 
have a layer violation because I see three layers to support the users demand.

1. internationlisation: this is the IDN and the ccTLD (quoted in the 
language/script/ccTLD sequence is the authority). So the default should be 
the IDN Table assuming that ccTLD Managers are the trustees of their 
communities and know better about their people than anyone else.

2. multilingualization: thus is an added layer to take care of the 
language, the semantic, the dictionnary, the grammar, the culture, etc. You 
can have many visions. I said the ccTLD vision should be the default and 
described in IDN Tables, then univesities, Govs, artists, writers, etc. can 
have theirs. So the tag should include language.script/ccTLD/authority.

3. vernacularization: the way the user is to use the language through 
applications. This means that an additional element will be the style. This 
makes a lang5tag including language/script/ccTLD/authority/style. There the 
application may use the style to warn about a possible spoofing or not.

In addition to the lang5tag proposition - I propose we agree upon an 
XML,ASN.1 format to decribe a TLD better than the current Whois, where the 
TLD Manager would describe far more elements including its Tables in a 
computer readable form, so we could easily share the definition. For 
example this could include a list of foul names to bar in the language, of 
famous contious marks, etc. We (TLD Registries) could decide to maintain 
this file available at some published addresses for direct mutual exchange.


At 14:05 16/02/2005, Kane, Pat wrote:
>1.  The language tags that we permit are a subset of the languages within
>ISO 639-2.  The list of these can be found at
>http://www.verisign.com/static/002533.pdf.  The IANA server is a listing of
>language tables to be used with a language tag.  Commonality amongst TLDs in
>general would be good.  That is why VeriSign uses tables such as those from
>JET and others.

I would appreciate if we could have it in ASCII in a stable format, so we 
could work on automating reading of these data.

>2.  I am interested in the French and Ukrainian sets as well as all of the
>others that we permit that currently do not have language tables.  I have
>not seen them so VeriSign does not have a table for either of those valid
>language tags.  We are deploying this year those that have been posted on
>IANA and are appropriate sources.

I have no problem to Publish mine in French. May be could we discuss that 
together?

>3.  We follow tables as published.  We do not develop these tables on our
>own as there are more appropriate sources.  We did recognize that with
>Cyrillic based languages there was a possibility of inappropriate
>commingling of characters so we excluded all Latin and ASCII characters with
>the exception of 0-9 and the dash.

When you say "published" you mean IANA? I think we need something more 
reactive and more multingual. Is Nico Popp still invoved in IDNs (he is in 
the MINC Board for you?)

>4.  I am not sure of your exact question here, but in the registration
>process each registrar actually encodes the characters and passes to
>VeriSign the encoded string.

As a "reseller" myself, I would like to be able to enter my encoded string, 
for it to be verified and registered. I have ASCII tools. What is true for 
the DNS is also for me.

All the best.
jfc





>  Pat
>
>-----Original Message-----
>From: JFC (Jefsey) Morfin [mailto:jefsey@jefsey.com]
>Sent: Tuesday, February 15, 2005 7:44 PM
>To: Kane, Pat; "Martin v. Löwis" ; tedd
>Cc: idn@ops.ietf.org; ericj@shmoo.com
>Subject: RE: [idn] homograph attacks
>
>Dear Pat,
>I have several questions here.
>
>1. where do you maintain an ASCII list of your language tags? Should it not
>be supported on the IANA server and common to all the gTLDs?
>2. is there a list of the permitted UNICODEs codes per languages? For
>example I am interested in the French and Ukrainian sets.
>3. did you decide them by yourself, or did you gather a group of lingual
>authorities to assist you. This would be very interesting.
>4. would there not be a way to register IDN in using their  "xn--" version?
>It would simplify international management by resellers?
>
>Thank you for your assistance.
>
>
>At 20:30 15/02/2005, Kane, Pat wrote:
> >VeriSign does prevent domains with the Russian language tag from
>commingling
> >A-Z with the Cyrillic characters.  It does permit 0-9 and the dash to be
> >used.  This filter also applies to other Cyrillic based languages such as
> >Belarusian, Ukrainian, Serbian, Macedonian and Bulgarian.
> >
> >There are other languages that are listed within ISO 639-2 that today use a
> >combination of Latin and Cyrillic as they were originally Latin based
>(Tajik
> >was Arabic prior to being Latin based), migrated to Cyrillic during the
> >Soviet era and today are migrating back to Latin.  It is common to use
>Latin
> >and Cyrillic characters in Tajik, from what I understand not being a native
> >speaker.  Granted there are not a lot of registrations in com net that are
> >Tajik, but this is just the point of an IDN.
> >
> >Pat Kane
> >
> >
> >-----Original Message-----
> >From: owner-idn@ops.ietf.org [mailto:owner-idn@ops.ietf.org] On Behalf Of
> >"Martin v. Löwis"
> >Sent: Tuesday, February 15, 2005 2:02 PM
> >To: tedd
> >Cc: idn@ops.ietf.org; ericj@shmoo.com
> >Subject: Re: [idn] homograph attacks
> >
> >tedd wrote:
> > > You all knew this was going to happen.
> > >
> > >    http://www.p&1072;ypal.com
> >
> >Indeed. However, I am somewhat disheartened that this could
> >happen. IMO, Verisign should have never have registered that
> >domain - the registrar should have provided a language for
> >the label, that language should have been "Russian" (or
> >else &1072; should not have been allowed), and this combination
> >of Cyrillic and Latin letters should not be allowed for the
> >Russian language.
> >
> >Regards,
> >Martin