What rules have been used for the current list of codepoints?

Cary Karp ck at nic.museum
Tue Dec 26 16:20:38 CET 2006


>> This is the mixed-script question, not the unfamiliar
>> character question. But, to use your example, if
>> payp<cyrillic-a>l.com gets issued to someone other than the
>> owner of paypal.com, then that is squarely the responsibility
>> of the .com registrar, and they should be taken to task for
>> it.
> They have been 'taken to task' for it, and taken that offending
> URI off quickly. And I'm pretty sure they won't make the same
> mistake again.

This is not an accurate description of what happened. As I understand
it, the pivotal "taking to task" was directed at the holder of the
spoofed name, by PayPal itself. The spoofer did not, however, have an
easy time getting the registrar to delete the "proof of concept" name.
The formal mechanism that is available for having a name removed from a
registry directly by the registry operator was _not_ invoked at any point.

The registry operator did, indeed, recognize in all of this need for
modifying their IDN policies. That concern was expressed by active
participation in the revision of ICANN's IDN Guidelines, and commitment
to the resulting restriction on script-mixing in single labels. Despite
all of the concern that has been expressed on this list about the
current vulnerability of evertype.com to similarly cyrillified
usurpation, I would be very surprised if anyone actually got a request
for such a name through the policy engine on the registry side. The
pre-processing available on a registrar's front-end is not the ultimate
determining factor and a name may appear to be available for
registration that, in fact, is not.

/Cary


More information about the Idna-update mailing list