Shawn.Steele at microsoft.com
Tue May 6 18:52:05 CEST 2008
Regarding allowing people to shoot other people in the foot.
I think that the right behavior is to create guidelines (as part of an additional document) that the registrars can follow. Clients could also use those guidelines if they feel it necessary.
But I'd like to point out that anti-spam and phishing filters and whatnot will be implimented anyway by clients that are concerned about such things. They may use techniques such as blacklists, user reports, keyword matching, testing for mixed scripts, homograph matching, https certificate matching, etc. Even with a "perfect" system that allows only the minimal character repertoire necessary, someone will discover that rnicrosoft looks like microsoft (in some fonts) or register a paypal.youlose.com or whatever.
Other techniques provide security that IDN/DNS cannot. They can even include the techniques that IDN would propose if they added additional security.
I think that the names involved have gotten so complex that we cannot guarantee that a particular name will be resolved by a particular client. With the existing IDN RFCs many clients jump through script detection and other steps to try to filter out illegitmate sites, even if they were properly registered. Many of those found and filtered by IE as spoofing or phishing sites are purely ASCII names anyway. Some existing registrars are also much more strict than IDN permits, allowing only certain scripts or characters to be registered.
So in my view our goal should be to create a common representation of the strings and leave determining the appropriateness of the strings to the registrars / clients / filters (maybe with another doc like UTR36 for guidelines).
More information about the Idna-update