Barry,

spot on, plus the idea of a list of forbidden strings appears to be pure lunacy in this context. All strings are potentially an attack for any substitution of any character by any IDN look-alike character. The list would contain a couple zillion names and as you say, many could be legtimate. To complicate things further, an ASCII "A" could be used in an homograph attack by substituting for a Greek or Cyrillic "A" as well.

I may be missing something and would study a correction though.

Alejandro Pisanty

On Fri, Jul 20, 2018 at 1:37 PM, <bzs@theworld.com> wrote:

On July 19, 2018 at 15:48 6.Internet@gmail.com (Sivasubramanian M) wrote:
 > Please take a look at the attached screenshot of a domainer's offer to sell
 > single character IDNs, for instance an IDN variant (lookalike) of the ASCII
 > character X, which sets a harmful trend. This is an issue if confusability.

The general term for this is "homograph attack" or specifically "IDN
homograph attack", where "attack" may be in the eye of the beholder:

  https://en.wikipedia.org/wiki/IDN_homograph_attack

and has been the subject of much discussion over recent years and
little resolution.

I believe one popular proposal is browser support which either
visually flags such IDNs or displays the punycode alongside which is
an ASCII represenation and should make obvious that this not what one
might suspect.

For example (from this wikipedia page): xn--bcher-kva.tld indicating
an umlauted 'u' is in there but importantly that it's not just
bucher.tld.

  https://en.wikipedia.org/wiki/Punycode

There's still the problem with intent. Could I legitimately offer for
sale the strings with and without the umlaut? I think that's generally
considered acceptable.

Caveat emptor?

 >
 > I understand that the Registries (are required to?) maintain a list of harmful
 > names for their TLDs, but there is no common minimal list of harmful names. One
 > possible way to achieve this is for the Registries, at least in the ASCII
 > space, to volunteer to feed their respective list of harmful names into a
 > common Registry Stakeholder database, and then draw up a common minimum list of
 > harmful domain names that any Registry could avoid registering. 
 >
 > If At-Large could shape this as a workable suggestion, it could formally go to
 > the Registry Stakeholders.
 >
 > Sivasubramanian M
 > x[DELETED ATTACHMENT Screenshot_20180719-152932~2.png, PNG image]
 > _______________________________________________
 > At-Large mailing list
 > At-Large@atlarge-lists.icann.org
 > https://atlarge-lists.icann.org/mailman/listinfo/at-large
 >
 > At-Large Official Site: http://atlarge.icann.org

--
        -Barry Shein

Software Tool & Die    | bzs@TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*
_______________________________________________
At-Large mailing list
At-Large@atlarge-lists.icann.org
https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org



--
- - - - - - - - - - - - - - - - - - - - - - - - - - -
     Dr. Alejandro Pisanty
Facultad de Química UNAM
Av. Universidad 3000, 04510 Mexico DF Mexico
+52-1-5541444475 FROM ABROAD
+525541444475 DESDE MÉXICO SMS +525541444475
Blog: http://pisanty.blogspot.com
LinkedIn: http://www.linkedin.com/in/pisanty
Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614
Twitter: http://twitter.com/apisanty
---->> Unete a ISOC Mexico, http://www.isoc.org
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .