RE: [council] Registry Constituency IDN communiqué
Thanks Cary. You might like to include some specific examples of two identifiers (names) that could look the same, and explain how a registry would avoid the problem for each example. Regards, Bruce
-----Original Message----- From: owner-council@gnso.icann.org [mailto:owner-council@gnso.icann.org] On Behalf Of Cary Karp Sent: Thursday, 24 February 2005 9:00 PM To: council@gnso.icann.org Subject: [council] Registry Constituency IDN communiqué
The communiqué that I mentioned at last week's Council meeting is now on-line at:
http://www.icann.org/topics/news022305.html
You may also wish to note the broader topic page that ICANN has posted at:
http://www.icann.org/topics/idn.html
/Cary
Quoting Bruce:
You might like to include some specific examples of two identifiers (names) that could look the same, and explain how a registry would avoid the problem for each example.
One of the Unicode Consortium's responses to the current situation was the release of an unscheduled revision of a draft technical report on 'Security Considerations For The Implementation Of Unicode And Related Technology'. You will find it at: http://www.unicode.org/reports/tr36/tr36-2.html This includes a richly illustrated 'everything anyone could possibly need to know' description of the homograph vulnerability. Unfortunately, it is as useful a how-to-do-it guide for malicious abusers as it is a basis for the TLD registries converging on a best-practice. It sketches a clear path along which we can proceed and highlights the urgency of our doing so. Determining whether or not that path is the best one for the gTLD registries to take (and if not, setting the alternative) is the next step in our constituency's action. The Unicode draft is, however, nothing for the faint-hearted. The basis of IDN,is that every internationalized name exists in two formats, of which the one is displayed to the user in the full array of expected characters (Unicode), and the other is an encoded form (Punycode) that is only intelligible to purpose-designed software. The initial design intent was for Punycode never to be revealed to users. However, a number of situations where it is, in fact, beneficial for a user to see Punycode have become apparent in the interim. One of them is that two names that may be graphically confused in their Unicode forms (the reason we're having this discussion in the first place) can readily be differentiated in Punycode. I'll try to prepare a Punycode Primer over the weekend, which should make the Unicode draft more accessible. In the meanwhile you may wish to note that the Mozilla folks -- whose concern with this issue fired the debate -- have just released a version of their Firefox browser that addresses the issue by making the Punycode form of an IDN fully visible in the browser's status line, while retaining the Unicode form in the browser's address line. It's likely that other software developers will soon be doing the same. It is up to us to ensure that nobody feels the need for more drastic measures. Although an elegant mode for the parallel presentation of Unicode and Punycode remains to be developed, encouraging action toward that end is clearly in the interests of any agency striving to globalize the Internet. Conversely, there is also a need to quell what remains the clear risk of the proponents of an anglophone DNS deciding that since they don't want/need/trust IDN, nobody gets to have it. /Cary
Quoting myself:
In the meanwhile you may wish to note that the Mozilla folks -- whose concern with this issue fired the debate -- have just released a version of their Firefox browser that addresses the issue by making the Punycode form of an IDN fully visible in the browser's status line, while retaining the Unicode form in the browser's address line.
I'm afraid I spoke too soon about this. The latest release displays Punycode in both the address and status lines. I incorrectly assumed that the behavior of the pre-release version that I was using had been retained. This permitted the full configuration of where Punycode and Unicode could appear but, as far as I can tell, that option has been removed. /Cary
participants (2)
-
Bruce Tonkin
-
Cary Karp