IDN processing-related security considerations for draft-ietf-websec-strict-transport-sec

Andrew Sullivan ajs at
Fri Sep 30 21:12:47 CEST 2011

On Fri, Sep 30, 2011 at 12:58:56PM -0600, Peter Saint-Andre wrote:
> Because it seems that most or all of the browsers implement IDNA2003 but
> have no plans to migrate to IDNA2008.

Really?  Or is this rather "plan to implement IDNA2008 + UTS46"?  The
latter is a mapping that breaks some features of IDNA2008, but doesn't
break everything.

AFAICT, ICANN's current IDN TLD plans, as well as the IDN
Implementation Guidelines currently out for public comment, depend on
IDNA2008.  If no browser is actually going to implement IDNA2008, then
we have a serious mismatch between the publishing side and the
consuming side, and perhaps policy needs to be re-examined.


Andrew Sullivan
ajs at

More information about the Idna-update mailing list