Browser IDN display policy: opinions sought

[Paul Hoffman]

On Dec 19, 2011, at 2:42 AM, Gervase Markham wrote:

> I entirely agree. This is why we went for option B - once a registry has
> a responsible policy, their IDNs are treated as first-class citizens
> everywhere (at least, in Firefox). No additional configuration required.

In this case, however, the "responsible policy" is limited to TLDs registering SLDs. People have already pointed out on this thread that Firefox's restriction on script-confusables only goes one layer down, and that for LDH labels, Firefox (and all other browsers) don't do anything about names like www.bankofamerica.com.deposits.index-action.me.

> Unfortunately, IDNs are still not treated as first-class citizens. So
> the question is: how do we get from where we are now to a situation
> where they are treated that way?

One way, which you have rejected earlier in this thread, is to simply display all IDNs as Unicode (where the display is possible), just the same way you display all possibly-fraudulent LDH labels. That would make them all first-class. If you choose to do some checking on the domain names for possible fraud based on other heuristics (as Firefox and all other browsers do), and then show an interstitial warning or change the navigation chrome in some way, you can do that for IDNs as well *following the same rules you use for non-IDN names*.

If you want to get additional heuristics from TLDs about policies to help you decide when you should add a warning, the technical community can talk about how to make that happen in a way that would be useful to application vendors. (So could ICANN, but I suspect that would be a waste of everyone's time.)

The choice to not treat IDNs as second-class in applications remains with the application vendors. Being consistent in pointing out possible fraud would go a long way towards making IDNs more useful to everyone except to fraudsters.

--Paul Hoffman