"This case isn't the important one" (was Re: Visually confusable characters (8))
Mark Davis ☕️
mark at macchiato.com
Mon Aug 11 07:20:02 CEST 2014
On Sun, Aug 10, 2014 at 4:22 PM, Andrew Sullivan <ajs at anvilwalrusden.com>
> No, the problem here is that we have discovered rather late in the
> game that the thing NFC is for _is not_ what we thought it was.
No knowledgeable person ever represented that NFKC would remove all
confusable characters. It clearly does not and cannot, since "paypal" and
"paypa1" are confusable, and just involve ASCII characters. Starting in
2005, Unicode has made unicode.org/reports/tr36 and unicode.org/reports/tr39
available (and pointed people to them from this list). Those have long
detailed many of the issues involved in confusability.
The people promoting the IDNA2010 approach have long known that it wouldn't
solve the confusability issue.
For example, on Mon, Dec 22, 2008 at 8:03 AM, John C Klensin <
klensin at jck.com> wrote:
> (i) What is, and is not, look-alike, is a very subjective
> The bottom line is that we've concluded that character
> combinations that are specifically phishing issues should be
> dealt with by registries, who presumably know what they are
> doing with scripts they choose to support, and by application
> implementers who can warn people against hazardous combinations
> (and potentially against registries who persistently permit
> registration of strings that have no real value other than to
> create phishing opportunities.
> These decisions were the result of explicit (and quite lengthy)
> discussion, not an "oversight".
*— Il meglio è l’inimico del bene —*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Idna-update