<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:546457992;
mso-list-type:hybrid;
mso-list-template-ids:217638398 -1088677794 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:1145318896;
mso-list-type:hybrid;
mso-list-template-ids:253415688 555763778 67698715 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Arial","sans-serif";
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoPlainText"><a name="_MailEndCompose">Dear All,<o:p></o:p></a></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">My name is Raed Al-Fayez I am from SaudiNIC (.sa<span dir="RTL"></span><span dir="RTL" style="font-size:10.5pt;font-family:Consolas"><span dir="RTL"></span>
</span><span dir="LTR"></span><span dir="LTR"></span>& <span dir="RTL"></span><span lang="AR-SA" dir="RTL" style="font-size:10.5pt;font-family:"Arial","sans-serif""><span dir="RTL"></span>.السعودية
</span><span dir="LTR"></span><span dir="LTR"></span> ccTLD Registry).<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">First of all I would like to thank Gervase Markham for opening such important issue; Also I thank everyone who have contributed in its discussion.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Please allow me to share with you our opinions and thoughts regarding "Browser IDN display policy":<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoNormal">IDNs should not be treated as second-class citizens on the Internet. They should be displayed in their native languages and not treated/displayed in their corresponding ASCII encodings. Users should not do anything to get their IDNs displayed
correctly in their screens. IDNs should not be forced to be displayed in their ASCII format just – as some vendor claims: "<i><span style="color:#548DD4">The standard text encoding is used because it's possible for letters and symbols in some languages to
be used to impersonate English language websites for phishing scams</span></i>". Please note that not ALL SCRIPTs can be used to "<i><span style="color:#548DD4">impersonate English language websites</span></i>".<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal">I would repeat here what Gervase Markham from Mozilla had – accurately - said in one of the ICANN meetings:
<span lang="AR-SA" dir="RTL"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span dir="LTR"></span><span dir="LTR"></span><span dir="LTR"></span><span dir="LTR"></span>"They [IDNs] are going to be just as safe to use as ASCII domain names. You don't need extra alerts you don't need extra
warnings, don't need extra training to use them. If they are less safe because characters are allowed which might confuse people, and therefore there is some danger, then we have failed in that goal ..".<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At SaudiNIC, we have experiences with providing Arabic IDNs as we were the 1<sup>st</sup> ccTLD registry provided IDN registration in our region. We have observed that our local users lost their trust in the Arabic IDNs when IDN addresses
appeared in ASCII encoding. Many of them were shocked not to see the Arabic IDNs but rather "garbage text" not in their native language. Furthermore, they had difficulties or did not know how to fix this within the operating systems or the browsers they were
using. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please note in our registry we provide a conservative and a complete IDN solution which include Variants managements at the Arabic Script level as well as we do not allow script mixing. Registration are based on a very well defined and
limited language table. So the security issue is already taking care by the registry (us). Hence, users should have no security issue when they get Arabic IDNs and should be displayed in their native language automatically without the intervention by anyone
including the users him/herself.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here are some comments regarding Option A:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span dir="LTR"></span>A language/country is added to the supported list but it is not associated with an IDN TLD. Hence, if a user add the Arabic language to the supported list this will always displays all the Arabic IDNs regardless
wither the IDN TLD is trusted or not.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span dir="LTR"></span>This treats IDNs as second criticizes of the Internet which leads to miss-trustiness from users in the IDNA as it always needs intervention from the user (which is not easy and not standard).<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span dir="LTR"></span>This option leads to different actions from the users to enable IDNs depending on operating system type/version and used applications (e.g., browsers). Therefore, it adds extra complexity to user acceptance and
registry customer care.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span dir="LTR"></span>In Airports or public internet hotspots<span style="color:red">
</span>IDNs would not work properly as user have no control in the application settings.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span dir="LTR"></span>IDNA deals with domain labels at the script level, but "Option A" works at the language (and country) level which are incompatible behavior.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As IDNs are about making the Internet more global and accessible for everyone and many companies/communities are investing heavily in IDNs, it would not be fair to treat IDN domain names differently from their ASCII/English ones. IDNs should
be used and displayed automatically without the intervention of users. This is very important so that these investments will not be jeopardized just because of these kind of treatments which will shun away the users from IDNs . Thus, IDNs should be treated
as first-class citizens of Internet.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have to be very careful as new gTLDs are coming in the market that will be used by almost all users around the world. It is not adequate and justifiable that new ASCII gTLDs are working from day one while new IDN gTLDs are handicapped
by the applications and need some extra intervention and involvement from the user side to make them working probably.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In our judgment, the issue of " <i><span style="color:#548DD4">impersonate English language websites for phishing scams</span></i>" is unjustly magnified based on bad example of a registry practice. For example, under ".com", IDN was supported
with almost all possible Unicode characters without any restriction or variants managements. Hence, registries who provide clear language tables, policies, and variants handling mechanisms do not fall in these kind of problems but they have been penalize.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The problems cited as they are from IDNs can be addressed through mechanisms similar to the current practices to fight phishing scams and malware. Currently, web browsers and search engines have their own means to flag suspicious sites
as a service provided from the application vendors to their users.<span style="color:#1F497D">
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hence, we recommend the following:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="font-family:"Arial","sans-serif""><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span>IDNs should be treated and handled similarly to ASCII domains. It should not require extra efforts from the users to make them work correctly. It should be transparent to the users, except for the suspicious
sites (that can be handled via a black list).<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l1 level1 lfo2"><![if !supportLists]><span style="font-family:"Arial","sans-serif""><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span>Otherwise, if it is not possible to execute, we recommend to have a centralized authority (e.g., ICANN/IANA) that maintain a repository for each TLD registry that contains information about the registry's
language tables, list of supported languages and it should be filled automatically (online) as part of the delegation process.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">With best regards,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Raed I. Al-Fayez<o:p></o:p></p>
<p class="MsoPlainText">------------------------------------------<o:p></o:p></p>
<p class="MsoPlainText">Senior IT Projects Specialist, M.Sc, PMP<o:p></o:p></p>
<p class="MsoPlainText">Saudi Network Information Center (SaudiNIC) <o:p></o:p></p>
<p class="MsoPlainText">Communication and Information Technology Commission (CITC)<o:p></o:p></p>
<p class="MsoPlainText">Tel: + 966-1-2639235 - Fax: + 966-1-2639393<o:p></o:p></p>
<p class="MsoPlainText">http://www.nic.net.sa<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: idna-update-bounces@alvestrand.no [mailto:idna-update-bounces@alvestrand.no] On Behalf Of Gervase Markham<br>
Sent: Friday, December 09, 2011 2:12 PM<br>
To: idna-update@alvestrand.no<br>
Subject: Browser IDN display policy: opinions sought</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Recently, Mozilla community member Jothan Frakes was kind enough to do some research about how different popular web browsers implement IDN, and when they display the real characters and when they display Punycode. This is in the context
of a Mozilla review of our policy. I am interested in the opinions of people on this list (see below).<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">As it turns out, the behaviour of all popular browsers is summarised at the bottom a Chromium project document here:<o:p></o:p></p>
<p class="MsoPlainText"><a href="http://www.chromium.org/developers/design-documents/idn-in-google-chrome"><span style="color:windowtext;text-decoration:none">http://www.chromium.org/developers/design-documents/idn-in-google-chrome</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The policies fall into 3 approximate buckets:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">A (IE, Chrome): Unicode if the (single) 'language' of the string is configured in the options, Punycode otherwise.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">B (Firefox, Opera): Unicode if the TLD is in a whitelist, Punycode otherwise. Arbitrary script mixing permitted (registry policy used to prevent abuse).<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">C (Safari): Unicode if the script is in a whitelist (which by default does not include Cyrillic or Greek), Punycode otherwise. Not sure about script mixing.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Firefox has historically resisted adopting a Type A policy because we consider it seriously detrimental to IDN adoption and use. It seems to me that IDN can never be reliable for site owners, and therefore will not succceed, if a significant
proportion of the world's browsers adopt Type A or Type C policies. This is because site owners can never know what proportion of their visitors will see gobbledegook in the URL bar rather than their nice domain name. Perhaps for sites whose visitors are all
guaranteed to be from a particular country or language group, with properly-configured browsers and OSes which know that they speak a certain language or use a certain script, it might work - but I suggest that's a small subset of all sites. Many people in
non-English-speaking countries still use English OSes and English browsers, with default settings.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Type C is particularly bad - Russian and Greek IDNs are broken by default, but even if you persuade your users to turn it on, they can then be mixed-script spoofed. You get to choose between functionality and security.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">By contrast, with a Type B policy, if your IDN domain works in one copy of Firefox, it works in them all. If everyone had Type B policies, there would be no risk of a properly-registered domain coming up as gibberish.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">It has been suggested that Firefox switch to a Type A policy. As it is, the mix of policies means that the goal of universal acceptability is not being met anyway. Firefox switching to Type A would also not meet that goal by itself,
but one could argue that there's a bit more consistency to browser behaviour.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I would be interested in the opinion of people on this list as to:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">- whether my analysis seems reasonable;<o:p></o:p></p>
<p class="MsoPlainText">- whether they prefer type A, B or C; and<o:p></o:p></p>
<p class="MsoPlainText">- whether they see any particular policy as more damaging to IDN<o:p></o:p></p>
<p class="MsoPlainText"> adoption than another.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Has anyone lobbied one browser manufacturer or another to change their policy? Is there another option that is not currently in use which would be better?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">(Note that "no restrictions" is not an option, given what happened in<o:p></o:p></p>
<p class="MsoPlainText">2005 with payp-cyrillic-a-l.com, and I would rather not derail this debate by rehearsing those arguments again.)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Gerv<o:p></o:p></p>
<p class="MsoPlainText">_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">Idna-update mailing list<o:p></o:p></p>
<p class="MsoPlainText"><a href="mailto:Idna-update@alvestrand.no"><span style="color:windowtext;text-decoration:none">Idna-update@alvestrand.no</span></a><o:p></o:p></p>
<p class="MsoPlainText"><a href="http://www.alvestrand.no/mailman/listinfo/idna-update"><span style="color:windowtext;text-decoration:none">http://www.alvestrand.no/mailman/listinfo/idna-update</span></a><o:p></o:p></p>
</div>
<font face="monospace"><br>
-----------------------------------------------------------------------<br>
تنويه:<br>
هذه الرسالة و مرفقاتها (إن وجدت) تمثل وثيقة سرية قد تحتوي على معلومات تتمتع بحماية وحصانة قانونية. إذا لم تكن الشخص المعني بهذه الرسالة يجب عليك تنبيه المُرسل<br>
بخطأ وصولها إليك، و حذف الرسالة و مرفقاتها (إن وجدت) من الحاسب الآلي الخاص بك. ولا يجوز لك نسخ هذه الرسالة أو مرفقاتها (إن وجدت) أو أي جزئ منها، أو<br>
البوح بمحتوياتها لأي شخص أو استعمالها لأي غرض. علماً بأن الإفادات و الآراء التي تحويها هذه الرسالة تعبر فقط عن رأي المُرسل و ليس بالضرورة رأي هيئة الاتصالات و<br>
تقنية المعلومات، ولا تتحمل الهيئة أي مسئولية عن الأضرار الناتجة عن هذ البريد.</font></body>
</html>