Data on confusables

Vint Cerf vint at google.com
Thu Jul 30 12:32:37 CEST 2009


Gerv,

the present formulation deliberately built up its PVALID forms by  
inclusion rather than exclusion precisely to try to limit which  
characters are permitted to be used.

In particular, IDNA2008 tried to achieve this by invoking Unicode  
properties and inventing formulae to apply them.

Excluded from PVALID are a range of character classes including  
punctuation and mathematical symbols, but the WG consensus is that no  
set of rules will absolutely eliminate all forms of confusion or  
deliberate spoofing. Rather, a combination of character limitations  
and registry (zone administrator) filtering seems to be needed and  
even then one can anticipate weak filtering out of negligence or  
ignorance.

vint

On Jul 30, 2009, at 6:24 AM, Gervase Markham wrote:

> On 30/07/09 00:13, Mark Davis ⌛ wrote:
>> I don't think that IDNA2008 will change much regarding spoofing. Some
>> registries may be bound by the terms of IDNA2008, but most will not  
>> be.
>> They could chose to abide by it strictly, or they could allow  
>> characters
>> like HEART if they are in demand, or for compatibility with IDNA2003.
>
> They could, but if none of the browsers render it, I suspect they  
> won't.
>
>> Conversely, the client side can't depend on the registries' all doing
>> "the right thing", and will need to supply their own tests for  
>> spoofing;
>> and for them as well, excluding symbols or checking for CONTEXTO
>> accomplishes almost nothing as far as detecting spoofs.
>
> I find that an odd conclusion. Banning dot-like, slash-like and
> hyphen-like punctuation seems to me like it would make a big  
> difference
> in terms of restricting what spoofing is possible.
>
> Gerv
> _______________________________________________
> Idna-update mailing list
> Idna-update at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/idna-update



More information about the Idna-update mailing list