IDNA2008: concerns about inconsistent mappings, and german sharp s

Markus Scherer markus.icu at gmail.com
Thu Dec 11 06:42:47 CET 2008


Dear IDNA-updaters,
I recently learned about some details about IDNA2008 and was encouraged to
voice concerns on this list.

If I understand correctly, IDNA2008 -- unlike the 2003 version -- will not
prescribe a particular set of character mappings. I am concerned that this
will lead to implementations behaving inconsistently, and, for users,
unpredictably, leading to navigation to the wrong web sites or getting an
error message for what seems like (and used to be) a minor variation (for
example, a casing difference).

In particular, as a native German speaker, I am concerned about what I
understand to be the effect on using German domain names -- regarding the
'ß' ("sharp s", also mis-named "eszett").This character is mostly equivalent
to "ss", and normal uppercasing turns it into "SS" (except maybe on
passports). Because of this near-equivalence, there is some amount of
confusion about when to use "ß" vs. "ss". In particular,

   - In Switzerland, "ß" is never used and always replaced with "ss".
   - The orthography change of 1996 changed the rules about ß vs. ss and
   changed many very common words. Anyone who learned to write before the
   reform (like me) is prone to either still write the old way or be
   inconsistent, in addition to normal spelling imperfections.
   - For several years, prominent newspapers and publishers refused to adopt
   the new orthography or flip-flopped in their adoption.

The old IDNA standard mapped "ß" to "ss". I understand that IDNA2008 does
not include this mapping (or indeed any other), but does permit ß in
unmapped domain names. This means that it will be possible for equivalent
domain names (fluß.de <http://fluss.de> vs. fluss.de) which used to be
mapped to the same form (fluss.de) to now point to unrelated web sites
(where one might be a phishing site mimicking the other), or a user who used
to be successful following a link "fluß.de <http://fluss.de>" may now find
that their browser fails to connect.

Please review this decision!

It seems like for best consistency and interoperability, the updated IDNA
standard should include mappings that are compatible extensions of the 2003
version, except to fix errors and security issues, and in particular should
maintain the folding of equivalent domain names to a common representative.

Failing that, it would help to continue to not allow the "ß" in domain
names, except as input to an implementation which maps it to "ss" as before.

If that were not adopted either, then users can only hope that all
registrars either automatically treat all equivalent forms as aliases or
forbid registering a domain name if an equivalent one exists already. (A
connection error would be better than a phishing trap.) I am pessimistic
about all relevant registrars to learn about this (or anything that's not
required by the spec), understand it, and apply it consistently.

Sincerely,
markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.alvestrand.no/pipermail/idna-update/attachments/20081210/050e9e59/attachment-0001.htm 


More information about the Idna-update mailing list