<br><br clear="all">Mark<br>
<br><br><div class="gmail_quote">On Thu, Jul 30, 2009 at 03:24, Gervase Markham <span dir="ltr"><<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On 30/07/09 00:13, Mark Davis ⌛ wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I don't think that IDNA2008 will change much regarding spoofing. Some<br>
registries may be bound by the terms of IDNA2008, but most will not be.<br>
They could chose to abide by it strictly, or they could allow characters<br>
like HEART if they are in demand, or for compatibility with IDNA2003.<br>
</blockquote>
<br></div>
They could, but if none of the browsers render it, I suspect they won't.</blockquote><div><br>Well, it does come down to what the browsers decide to do.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Conversely, the client side can't depend on the registries' all doing<br>
"the right thing", and will need to supply their own tests for spoofing;<br>
and for them as well, excluding symbols or checking for CONTEXTO<br>
accomplishes almost nothing as far as detecting spoofs.<br>
</blockquote>
<br></div>
I find that an odd conclusion. Banning dot-like, slash-like and hyphen-like punctuation seems to me like it would make a big difference in terms of restricting what spoofing is possible.</blockquote><div><br>It only takes one dot-like character to allow for a spoof of a dot. If you forbid 17 dot-likes but allow 3, it doesn't really prevent spoofing. And if you don't test for spoofs of 'a', 'b', etc, even checking for dot-spoofing doesn't do a lot of good. What I'm saying is that the restrictions put in place in IDNA2008 may look nice, but they are like a band-aid on a sieve: it still won't hold water. You need, say, a sheet of saran wrap inside the sieve -- and once you have the saran wrap, you don't need the band-aid.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
Gerv<br>
</blockquote></div><br>