IDNA and U+08A1 and related cases
nico at cryptonector.com
Mon Jan 26 19:09:46 CET 2015
On Mon, Jan 26, 2015 at 05:02:48PM +0000, Gervase Markham wrote:
> On 26/01/15 06:30, Asmus Freytag wrote:
> > The fundamental design limitation of IDNA 2008 is that, largely, the
> > rules that it describes pertain to a single label in isolation.
> tl;dr of your message: additional work is needed beyond IDNA2008 to have
> a secure system...
I'm not so sure. What more can IDNA do about this? (See below.)
> > That calls for a different mechanism, what I have called "exclusion
> > mechanism".
> ...which involves name registries doing the right thing.
Isn't that what UTR#39 says.
> Yes, indeed. Which is why, for years, this was a requirement of IDNA
> enablement in Firefox. Only the proliferation of registries put an end
> to our enforcement of that policy programmatically. We (or at least, I)
> now intend to enforce it via the media if there is ever a problem caused
> by a registry allowing one of its customers to attack another one by
> registering a homograph.
Right, if a registry screws this up, their reputation has to suffer.
(The same goes for CAs, no? Though of course DNS has to come first.)
More information about the Idna-update