Browser IDN display policy: opinions sought

Tue Dec 13 12:24:56 CET 2011

On 2011/12/13 19:43, Gervase Markham wrote:
> On 13/12/11 10:19, "Martin J. Dürst" wrote:
>> To take some very simple examples, why do I have to look at
>> http://www.xn--viagnie-eya.com/ in Firefox when I can see
>> http://www.viagénie.com in Chrome? The other way round, why do I have to
>> look at http://xn--80abvnkf0a.xn--p1ai in Chome when I can see
>> http://биатлон.рф in Firefox? (and why can I see both of these in Opera
>> and in Safari?)
>>
>> There is absolutely *nothing* wrong with displaying either of these
>> domain names. Otherwise, the other browsers displaying them, and their
>> users, would be in deep trouble, wouldn't they? That's the reason I say
>> that browsers overreacted.
>
> That sounds like your definition of "not overreacting" is "solving the
> problem with a 0% false positive and 0% false negative rate".

Well, that would indeed have been wonderful :-). But without attaching 
any significance to actual numbers, what I was trying to say is the 
following:

Currently you have essentially 0% false negatives if we define the 
problem narrow enough (i.e. we exclude in-script confusables, 
orthographic stuff such as color/colour, and the like), but something 
like 50% or 80% or so false positives. And you could easily decrease the 
number of false positives by quite a lot (possibly getting into a 5% or 
even a 1% range) with a different policy or a combination of policies.

> (Or
> perhaps you would have been happy with us doing nothing, which has a 0%
> false positive rate, but a non-0 false negative rate.)

[Me personally, why not. But because I'm using a Japanese OS, I'm in the 
lucky situation that Cyrillic and Greek are displayed in full-width, 
which makes them really stick out. And I'm also a rather careful 
browser, or so I hope.]

For the overall Web, not displaying (as U-labels) mixed-script labels 
(except for where exceptions are truly needed) and whole-script 
confusables is definitely a good thing. But that's many less labels than 
what is affected in the browsers currently.

>> But if I were in the position of a registry, I'm not sure I'd taken the
>> time to submit bug reports. One browser might be okay, but what if all
>> browsers were doing this? And what if their criteria were all slightly
>> different? The number of browsers is another dimension over which this
>> approach doesn't scale. (For those people who think that there are only
>> four or five browsers around: That's totally wrong. There are four or
>> five major browsers, but there are many, many others.)
>
> In practice, as with CA inclusions, it tends to be that the smaller
> browsers just adopt the decisions of the larger ones.

Good to know.

> Even some large
> browsers do - Google Chrome uses the OS cert store on each platform, AIUI.
>
> This does have, of course, pros and cons. But given the fairly low
> effort of filing a bug with us, and the corresponding gain that an
> additional 30% of the Internet will be able to correctly see the IDNs
> you are selling, that seems like a good use of registry time to me...

To you of course :-). But some registries might be more concerned about 
authority and 'face' than about practicalities.

Regards,     Martin.