Esszett, Final Sigma, ZWJ and ZWNJ

Mon Feb 23 22:53:39 CET 2009

I disagree - bundling is the only solution I can see to help avoid having
people from using the difference between old names and new names for
security attacks.

Take this case:

   1. Suppose someone registered
τιςγλώσσες.com<http://xn--oxaekj2bcabb8h.com>under IDNA2003, with IP
XXX.
   2. For anyone using a browser, emailer, etc. both
"τιςγλώσσες.com<http://xn--oxaekj2bcabb8h.com>"
   and "τισγλώσσεσ.com <http://xn--oxaekj2bcabb8h.com>" would go to XXX.
   3. Now we switch to IDNA2008
   4. Someone else comes in and registers
τιςγλώσσες.com<http://xn--oxaekj2bcabb8h.com>,
   for IP YYY.
   5. Now:
      1. for people running with current and past browsers, emailers, and so
      on, τιςγλώσσες.com <http://xn--oxaekj2bcabb8h.com> will still go to
      XXX, while
      2. for those with upgraded browser, emailers, etc,
τιςγλώσσες.com<http://xn--oxaekj2bcabb8h.com>will go to YYY.

Given that it will take years before all the client software is replaced,
the situation of some people going to YYY and some going to XXX will be
alive for quite a while. During that time, the difference can be exploited
for security attacks -- and will certainly cause interoperability problems;
a huge percentage of Greek words end with an affected character.

The only way I can see to mitigate this is with bundling; that the registry
makes sure to every extent possible that XXX = YYY by bundling.

It doesn't hurt new registrations. So
"αριθμούς.com<http://xn--mxaocnpis3f.com>"
automatically gets a bundled "αριθμούσ.com <http://xn--mxaocnpis3f.com>". It
doesn't matter that "αριθμούσ" is linguistically ill-formed (so is "
mydomainname.com" - it would need spaces as "my domain name" to be
linguistically correct. Bundling just ensures that both new and old clients
work correctly without security problems.

If all the registries bundle all the 4 special cases for the foreseeable
future, then we have a chance of this being just a mess, and not a horrible
mess.

Mark

On Sat, Feb 21, 2009 at 13:28, Tina Dam <tina.dam at icann.org> wrote:

> On February 21, 2009 1:02 PM, Vint Cerf wrote:
> > Folks,
> >
> > My reading of the consensus is that the WG has discussed and generally
> > accepted that Esszett, Final Sigma, ZWJ and ZWNJ can be made PVALID.
>
> I completely agree.
>
> > For registries that formerly mapped Esszett or Final Sigma, the
> > solutions are:
> >
> > 1. block registration of Esszett and Final Sigma at the registry level
> > (in which case any former registration forms are still valid but will
> > not be found by entering the newly PVALID characters)
> >
> > 2. Bundle Esszett with "ss" and Final Sigma with lower case ("sigma")
> > (and do so retrospectively for all prior registrations of the mapped
> > forms).
>
> I don't think bundling the two sigma's is a good solution. One is used in
> the middle of a word and the other at the end of a word. Not only are the
> two characters used differently they also look completely different. So
> while it's a registry decision on how to deal with this I don't think this
> group should make that bundling recommendation.
>
> But it strikes me there is a different solution. Open up for allowing the
> new characters for registration in a sunrise fashion, where existing
> registrants (in whatever workaround solution was applied previously for
> accommodating strings that otherwise would have contain either Esszett,
> Final Sigma, or ZWJ or ZWNJ) to pre-register using these new chars in
> replacement or addition to their current domain name registration.
>
> Tina
> _______________________________________________
> Idna-update mailing list
> Idna-update at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/idna-update
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.alvestrand.no/pipermail/idna-update/attachments/20090223/f203063a/attachment.htm 