> From: Brian E Carpenter [mailto:brc@xxxxxxxxxxxxxx] > > For example, what homograph rules apply to what domains? Are the > > rules per-TLD or some other granularity? What are the appropriate > > rules for GTLDs, since they don't have a native language other than > > the de-facto English? If there are new TLDs with > translations of existing TLD names. > > e.g., business in Arabic and Chinese, are these aliases for .COM or > > .BIZ, or are they different? If people have registered ASCII > > approximations of names, e.g., letters without > diacriticals, do they > > get first crack at the correctly spelled IDN with the diacriticals? > > In that context, RFC 4690 is thought-provoking. I think that you are looking for solutions that are not possible. >From the Internet crime point of view we have been dealling with homographs ever since phishing was noticed as a problem five years ago. www.micr0soft.com is a homograph in the ascii space. There are three types of directory service: 1) Signalling Connect to a network resource by means of an unambiguous identifier that may (DNS) or may not (telephone number) be menemonic. 2) Discovery Connect to a network resource by entering in a name or description. Examples: Google. 3) Authentication Verify the real world identity of the network resource, Example VeriSign Class 3 certificate, EV certificate. The DNS is designed to do the first, is a passable approximation to the second and inherently misleading for the third. We still have the accounts-bizybank.com type lookalike name to worry about. This is a social and process problem. The technical approach of looking for bad names is unlikely to work. There are some folk in Sao Paulo who will be proposing that all DNS registrations (not just I18N) be required to be authenticated. Its not a viable proposal since 98% of the signalling applications that the DNS is designed to support do not require authenticated addresses. A much better solution that would meet the needs of registrars and phishing targets much better would be a simplified challenge procedure that could only be used in the first five days after a registration. If a name was challenged it would be immediately suspended. But the suspension would be immediately lifted as soon as the registrant provided a verified address at which service could be effected for the UDRP or civil process. In other words we do not require an authenticated address unless there is an objection. The mechanism would of course need to be carefully protected with safeguards to avoid abuse. I would suggest a very subtantial bond and a significant fee per use. The advantage to the phishing targets is clear. There is also a substantial advantage to the registrars whose principal challenge at the present time is chargebacks from stolen credit card numbers used by phishing gangs to buy names to be used in phishing attacks. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf