> As a corollary: more competition by [constrained] TLDs is good because > if -say- com. allows too many embarrassing confusable domains to be registered, > leading to noticeable and noticed phishing attacks, I think that underestimates the users.... But "does it matter"? I've received 4 emails today that made it through whatever spam filters for whatever reason. All 4 of them seemed to provide the opportunity for phishing attacks, and 0 of them leveraged IDN. For that matter, they weren't even trying to be that clever with the ASCII paths. I think the impact on phishing and confusables may be embarrassing perhaps, but don't have much true impact on security. How many times have you mistyped a URL and ended up somewhere else? Often with advertising and stuff trying to make a few cents off of the target URL typos? Too many companies send emails from "company@xxxxxxxxxxxxxxxxxxxxxxx" (totally random) or send you to "company.orderprocessing.example.com" and expect you to complete a link. So phishing stuff with @secure.com is going to succeed. They don't need confusable. (I've even seen papers that suggest that scammers sometimes prefer obvious traps because they really want to get the gullible folks - obvious bad URLs could filter those out.) -Shawn