I disagree - bundling is the only solution I can see to help avoid having people from using the difference between old names and new names for security attacks.<br><br>Take this case:<br><ol><li>Suppose someone registered <a href="http://xn--oxaekj2bcabb8h.com">τιςγλώσσες.com</a> under IDNA2003, with IP XXX.<br>
</li><li>For anyone using a browser, emailer, etc. both "<a href="http://xn--oxaekj2bcabb8h.com">τιςγλώσσες.com</a>" and "<a href="http://xn--oxaekj2bcabb8h.com">τισγλώσσεσ.com</a>" would go to XXX.</li>
<li>Now we switch to IDNA2008</li><li>Someone else comes in and registers <a href="http://xn--oxaekj2bcabb8h.com">τιςγλώσσες.com</a>, for IP YYY.</li><li>Now:</li><ol><li>for people running with current and past browsers, emailers, and so on, <a href="http://xn--oxaekj2bcabb8h.com">τιςγλώσσες.com</a> will still go to XXX, while</li>
<li>for those with upgraded browser, emailers, etc, <a href="http://xn--oxaekj2bcabb8h.com">τιςγλώσσες.com</a> will go to YYY.</li></ol></ol>Given that it will take years before all the client software is replaced, the situation of some people going to YYY and some going to XXX will be alive for quite a while. During that time, the difference can be exploited for security attacks -- and will certainly cause interoperability problems; a huge percentage of Greek words end with an affected character.<br>
<br>The only way I can see to mitigate this is with bundling; that the registry makes sure to every extent possible that XXX = YYY by bundling.<br><br>It doesn't hurt new registrations. So "<a href="http://xn--mxaocnpis3f.com">αριθμούς.com</a>" automatically gets a bundled "<a href="http://xn--mxaocnpis3f.com">αριθμούσ.com</a>". It doesn't matter that "αριθμούσ" is linguistically ill-formed (so is "<a href="http://mydomainname.com">mydomainname.com</a>" - it would need spaces as "my domain name" to be linguistically correct. Bundling just ensures that both new and old clients work correctly without security problems.<br>
<br>If all the registries bundle all the 4 special cases for the foreseeable future, then we have a chance of this being just a mess, and not a horrible mess.<br><br clear="all">Mark<br>
<br><br><div class="gmail_quote">On Sat, Feb 21, 2009 at 13:28, Tina Dam <span dir="ltr"><<a href="mailto:tina.dam@icann.org">tina.dam@icann.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On February 21, 2009 1:02 PM, Vint Cerf wrote:<br>
> Folks,<br>
><br>
> My reading of the consensus is that the WG has discussed and generally<br>
> accepted that Esszett, Final Sigma, ZWJ and ZWNJ can be made PVALID.<br>
<br>
</div>I completely agree.<br>
<div class="Ih2E3d"><br>
> For registries that formerly mapped Esszett or Final Sigma, the<br>
> solutions are:<br>
><br>
> 1. block registration of Esszett and Final Sigma at the registry level<br>
> (in which case any former registration forms are still valid but will<br>
> not be found by entering the newly PVALID characters)<br>
><br>
> 2. Bundle Esszett with "ss" and Final Sigma with lower case ("sigma")<br>
> (and do so retrospectively for all prior registrations of the mapped<br>
> forms).<br>
<br>
</div>I don't think bundling the two sigma's is a good solution. One is used in the middle of a word and the other at the end of a word. Not only are the two characters used differently they also look completely different. So while it's a registry decision on how to deal with this I don't think this group should make that bundling recommendation.<br>
<br>
But it strikes me there is a different solution. Open up for allowing the new characters for registration in a sunrise fashion, where existing registrants (in whatever workaround solution was applied previously for accommodating strings that otherwise would have contain either Esszett, Final Sigma, or ZWJ or ZWNJ) to pre-register using these new chars in replacement or addition to their current domain name registration.<br>
<font color="#888888"><br>
Tina<br>
</font><div><div></div><div class="Wj3C7c">_______________________________________________<br>
Idna-update mailing list<br>
<a href="mailto:Idna-update@alvestrand.no">Idna-update@alvestrand.no</a><br>
<a href="http://www.alvestrand.no/mailman/listinfo/idna-update" target="_blank">http://www.alvestrand.no/mailman/listinfo/idna-update</a><br>
</div></div></blockquote></div><br>