IDNA and U+08A1 and related cases

[Nico Williams]

On Mon, Jan 26, 2015 at 05:02:48PM +0000, Gervase Markham wrote:
> On 26/01/15 06:30, Asmus Freytag wrote:
> > The fundamental design limitation of IDNA 2008 is that, largely, the
> > rules that it describes pertain to a single label in isolation.
> 
> tl;dr of your message: additional work is needed beyond IDNA2008 to have
> a secure system...

I'm not so sure.  What more can IDNA do about this?  (See below.)

> > That calls for a different mechanism, what I have called "exclusion
> > mechanism".
> 
> ...which involves name registries doing the right thing.

Isn't that what UTR#39 says.

> Yes, indeed. Which is why, for years, this was a requirement of IDNA
> enablement in Firefox. Only the proliferation of registries put an end
> to our enforcement of that policy programmatically. We (or at least, I)
> now intend to enforce it via the media if there is ever a problem caused
> by a registry allowing one of its customers to attack another one by
> registering a homograph.

Right, if a registry screws this up, their reputation has to suffer.

(The same goes for CAs, no?  Though of course DNS has to come first.)

Nico
--