Browser IDN display policy: opinions sought

Andrew Sullivan ajs at
Tue Dec 13 16:49:07 CET 2011

On Tue, Dec 13, 2011 at 05:34:40AM -0500, John C Klensin wrote:

> but...).  To do a more sophisticated check, you'd need to be
> able to ask the DNS server to return all of the labels that
> might be confused with the one you are thinking about looking
> up.

Aha.  You want some kind of assurance that, if you are looking up the
label, you can rely on the party who told you what the policy is to
enforce that policy.

How is this different from the state of affairs that obtains now?  If
Afilias did something bonehead in .info tomorrow, I have little
confidence that Opera and Mozilla would detect it right away -- how
would they even know to look?

I claim that, if "be sure nobody is lying about what they are doing"
is the criterion for success, this effort is doomed.  That's like
wishing for a protocol that will prove the guys with the shell games
in your favourite tourist trap are never going to cheat.  Or, to beat
up on the usual metaphor, it's an invisible flying pony.  With sparkles.

> Ignoring the performance issues, etc., there is another problem
> with saying "lets put a pointer to the rules in the DNS".  If
> those rules are going to be machine-processed, there must be an
> agreed-upon format.

Yes, this is a problem.  OTOH, as we see in this thread, the existing
answers are all broken.  Perhaps the REPUTE WG offers us a chance at
a way to evaluate these things over time?

> Unless this situation is rationalized sufficiently by some
> entity that has the authority to enforce it on some domains and
> create, by example, a model that inspires (or creates pressure
> on) others

This sounds like a desire for a universal co-ordinator of the DNS.
The exact point of the protocol was to get rid of that choke point, so
I don't think we're going to re-invent it.

> > supposed to be in" or "I know who the bad guys are, trust me."
> And I'm suggesting that any system that makes the rules easier
> to find will ultimately come down to your second choice above
> unless some entity starts enforcing (at least) conformance to
> declared rules and preferably a minimum set of rules as well.

In the area of spam control, despite all the nasty side effects,
consulting several different abuse lists (which we might like to think
of as "reputation services") gets you more information to base your
decisions on.  I don't see why a similar approach might not work for
IDN display, _provided that_ zones have a way of stating what it is
they're trying to do.  Such a mechanism (and calling this hand-wavy
sketch of an idea a "proposal" is giving it too much credit) would be
extremely imperfect and it would mean that new names always started at
a disadvantage.  But it would at least give us something to build on.



Andrew Sullivan
ajs at

More information about the Idna-update mailing list