Follow-up from Tuesday's discussion of digits in the

[Shawn Steele]

> note that in the domain name "foo12345", there are 2 variants when digit
> mixing is prohibited, but 32 variants when 2 different digit sets are
? allowed.

If we're concerned primarily about input/display mapping, then 12345 will be in one script or the other, not a mixture of both.  (Although an attacker could utilize that to create others, but that's not really different than other homograph problems).

> actually the .no registry doesn't offer any such bundling. If wurth.no,
> wuerth.no and würth.no takes you to 3 different websites, that is not
> against that registry's policy.
>  (in this particular case, all 3 names go to the same entity.... but not
> because there's a rule about it.)

Yes, but I could register variations of my company's name...

So is this a concern because of potential security concerns?  Or because there are 2 forms of my company's name I want to be able to use?

If it is security, I don't think this is really much different than other security/homograph attacks, and, as was pointed out earlier, it is pretty trivial to trick people to click on a link.  Trying to "fix" numbers is kinda like trying to make sure your window's barred, alarmed and nailed shut, yet you've left the front door wide open.

If the concern is multiple forms of my company name for its use, then just register them all, there aren't that many interesting ones.  IDNA2003 pretty much already makes is to that "correct" Unicode names and ASCII-only transliterations have to be used.  And there is already a namespace problem, many businesses end up with a variation of their name because their preferred form was already taken.

- Shawn