December 2017 - comments-idn-guidelines-19oct17@icann.org

[Comments-idn-guidelines-19oct17] Fwd: [NCSG-PC] Fwd: [NCSG-Discuss] Second Public Comment on IDN Guidelines
by Rafik Dammak Dec. 16, 2017

Dec. 16, 2017

Hi, please, find attached the NCSG comment on IDN guidelines. Best Regards, Rafik

1 0

[Comments-idn-guidelines-19oct17] Registries Stakeholder Group (RySG) comments on Internationalized Domain Name (IDN) Implementation Guidelines – Second Public Comment
by svg＠milathan.ltd Dec. 11, 2017

Dec. 11, 2017

Please find attached, in PDF format, the Registries Stakeholder Group (RySG) comments on Internationalized Domain Name (IDN) Implementation Guidelines – Second Public Comment. In the interest of time, the RySG did not conduct a formal vote on these comments. They were circulated and debated on our mailing list, with no member expressing opposition to their submission. Please do not hesitate to contact me or any member of the RySG Executive Committee should you have any questions. Best regards, Stéphane Van Gelder RySG Vice Chair (Policy)

1 0

[Comments-idn-guidelines-19oct17] IDNs have potential for a lot more homoglyphs than is neccessary
by Anton Bershanskiy Dec. 10, 2017

Dec. 10, 2017

Dear IDN Implementation guidelines Working Groop, Thank you for all the great work you are doing. I got interested in IDN homoglyphs and would like to share a few observations that I made (while IDN homoglyph generator based on IDN Tables and Unicode Technical Standard #39). Also, I made a proof-of-concept attack using an IDN homoglyph to do a man-in-the-middle attack on a website with mixed content to make an illusion of HTTPS-secured connection. 1. IDN Tables are more numerous then necessary and are sometimes redundant. Consider the following example: TLD .קום has 97 active IDN Tables, most of which are from entirely unrelated languages and even different continents. Note that two of these tables is Ukrainian and Cyrillic. 1.1. First of all, Ukrainian table is entirely unnecessary from usability perspective, since no Ukrainian would ever use this TLD as we have a completely different script system: Cyrillic. I can not even imagine how someone would even type this address. 1.2. Secondly, Ukrainian is entirely included in Cyrillic, thus does not really require a separate table. It might be a good idea to recommend registrars to remove (retire) IDN tables that are proper subsets of other tables or, better yet, not use overly permissive tables. 1.2. More importantly, Cyrillic contains a few code points similar to Latin, thus might allow homoglyphs for some of non-IDN second-level labels, that are recorded in in the DNS as usual ASCII strings (not Punycode). 2. I made a proof-of-concept man-in-the-middle attack with a Homoglyph. 2.1. Unsurprisingly, I was able to register a whole-script Cyrillic homoglyph (in COM space) for a usual ASCII domain and 2.2. got a valid TLS certificate for it. 2.3. Then, I proxied all HTTP traffic on my computer via a server that would redirect all HTTP for that specific domain to the homoglyph with HTTPS. 3.3. This simple system allowed me to visit "secure" HTTPS original site and then click an HTTP link to another page and be redirected to HTTP://original -> my local server -> HTTPS://homoglyph, resulting in visually undetectable man-in-the-middle attack. Sincerely, University of Illinois at Urbana-Champaign student Anton Bershanskiy.

1 0

[Comments-idn-guidelines-19oct17] Business Constituency (BC) comment on Internationalized Domain Name (IDN) Implementation Guidelines
by Steve DelBianco Dec. 10, 2017

Dec. 10, 2017

The ICANN Business Constituency (BC) submits the attached comment on Internationalized Domain Name (IDN) Implementation Guidelines. ( ICANN comment page at https://www.icann.org/public-comments/idn-guidelines-2017-10-19-en ) This comment was drafted by Andy Abrams, Paul Mitchell, and Olga Yaguez. It was approved in accord with the BC Charter. — Steve DelBianco Vice chair for policy coordination ICANN Business Constituency

1 0

[Comments-idn-guidelines-19oct17] JPRS comment on the Internationalised Domain Name Implementation Guidelines
by yoshitaka＠jprs.co.jp Dec. 8, 2017

Dec. 8, 2017

Dear ICANN, Thank you for giving us the oppotunity to submit the comments on the Guidelines for the Implementation of Internationalized Domain Names 4.0. Please find our comments as follows. Comments to paragraph 15 and 16, "2.5.2 Commingling of cross-script code points in a single label": As you describe about the exemption about the commingled use of multiple scripts in these paragraphs, it is an important point of view whether such multiple scripts are used exclusively in relevant linguistic area or not. For example, while Japanese characters are technically devided into 3 scripts (Han, Hiragana and Katakana), the official language of Japan is only Japanese and these 3 scripts are not the exclusive with each other. An example of mixed scripts in Japanese: Most of Japanese people write the phrase "registration of .jp domain name" as "jpドメイン名の登録" in Japanese. <><------><><><--> 1 2 3 4 5 This short phrase consists of Latin(1), Katakana(2), Han(3,5) and Hiragana(4) scripts. #If you can not display it, please see the attached file. That is, Japanese language user always uses Han, Hiragana and Katakana all together in the strings that configure the words in Japanese writing system, and Japanese characters are actually treated as 1 script in Japanese daily life. In fact, people in Japan are allowed to use Han, Hiragana, Katakana and ASCII characters all together as the person's names, the trademarks(*1), the trade names(*2), and/or the words including noun. (*1) The list of standard characters for trademarks (Japan Patent Office, written in Japanese) http://www.jpo.go.jp/shiryou/kijun/kijun2/pdf/syouhyoubin/shiryou_1_1.pdf (*2) About using ASCII characters for the trade names (Ministry of Justice, written in Japanese) http://www.moj.go.jp/MINJI/minji44.html In other words, the actual conditions of Japanese characters are treated as 1 script, but they are only devided into 3 scripts technically. We think that they have completely different degrees of risk between commingling Japanese characters (Han, Hiragana and Katakana) and commingling other scripts that must be used exclusively. Therefore, the Guidelines should clearly express that "the case of any exceptions made allowing mixing of scripts" means the case of commingling the scripts that are used exclusively. Best regards, -- Yoshitaka Okuno Manager, Services Development Department Japan Registry Services Co., Ltd.

1 0