Data on confusables
Vint Cerf
vint at google.com
Thu Jul 30 12:32:37 CEST 2009
Gerv,
the present formulation deliberately built up its PVALID forms by
inclusion rather than exclusion precisely to try to limit which
characters are permitted to be used.
In particular, IDNA2008 tried to achieve this by invoking Unicode
properties and inventing formulae to apply them.
Excluded from PVALID are a range of character classes including
punctuation and mathematical symbols, but the WG consensus is that no
set of rules will absolutely eliminate all forms of confusion or
deliberate spoofing. Rather, a combination of character limitations
and registry (zone administrator) filtering seems to be needed and
even then one can anticipate weak filtering out of negligence or
ignorance.
vint
On Jul 30, 2009, at 6:24 AM, Gervase Markham wrote:
> On 30/07/09 00:13, Mark Davis ⌛ wrote:
>> I don't think that IDNA2008 will change much regarding spoofing. Some
>> registries may be bound by the terms of IDNA2008, but most will not
>> be.
>> They could chose to abide by it strictly, or they could allow
>> characters
>> like HEART if they are in demand, or for compatibility with IDNA2003.
>
> They could, but if none of the browsers render it, I suspect they
> won't.
>
>> Conversely, the client side can't depend on the registries' all doing
>> "the right thing", and will need to supply their own tests for
>> spoofing;
>> and for them as well, excluding symbols or checking for CONTEXTO
>> accomplishes almost nothing as far as detecting spoofs.
>
> I find that an odd conclusion. Banning dot-like, slash-like and
> hyphen-like punctuation seems to me like it would make a big
> difference
> in terms of restricting what spoofing is possible.
>
> Gerv
> _______________________________________________
> Idna-update mailing list
> Idna-update at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/idna-update
More information about the Idna-update
mailing list