Proposed Charter for the IDNAbis Working Group

Vint Cerf vint at google.com
Wed Mar 26 12:42:39 CET 2008 

Gervase,

point taken. Honestly, the phishing problem has so many faces that  
the "confusingly similar character" version is one of many. Because  
the proposed documents for IDNAbis place a lot of responsibility on  
the registries to introduce additional restrictions that may be  
language/culture specific, it seems that this is where the bulk of  
the defense is likely to lie. My reading of the document  does not  
rule out exclusion of some characters for reasons that defend against  
phishing but my sense is that the design team and others on the IDNA- 
update list are trying to focus the proposed working group in the  
hope of getting to consensus on the effort undertaken thus far.

Some characters are excluded already that could be problematic (e.g.  
look like HTTP or HTML punctuation, etc) so there is partial  
attention to the problem.

vint

On Mar 26, 2008, at 7:33 AM, Gervase Markham wrote:

> Vint Cerf wrote:
>> This work will address stable and unambiguous IDN identifiers.
>> There are a variety of unsolvable problems, notably the problem
>> of characters that are confusingly similar in appearance (often
>> known as the "phishing" problem) that are not part of the scope
>> of the WG.
>
> I entirely agree that it is not possible for this group to "solve"  
> the phishing problem. Any mitigation strategy will require changes  
> at all levels, not just that of the IDN protocols.
>
> However, my understanding and hope is that IDNAbis will disallow,  
> in some way, a large number of characters which are not used in the  
> languages of the world but are permitted by the current "include  
> unless we thought of a reason to exclude" approach. What would be  
> the rationale for doing so if not as one of the many actions to be  
> taken to mitigate phishing?
>
> Is excluding phishing from consideration entirely the right way to  
> put this? Do we not want something more like: "It is not within the  
> capabilities or scope of the WG to solve the phishing problem.  
> However, some changes which are considered to be helpful in working  
> towards a solution may be made."? (Or better words.)
>
> Gerv

More information about the Idna-update mailing list