Friday, February 25, 2005

Update on Response to Homograph Concerns

Gary Karp on the Registry Constituency's IDN statement:

One of the Unicode Consortium's responses to the current situation was the release of an unscheduled revision of a draft technical report on 'Security Considerations For The Implementation Of Unicode And Related Technology'. You will find it at:

This includes a richly illustrated 'everything anyone could possibly need to know' description of the homograph vulnerability. Unfortunately, it is as useful a how-to-do-it guide for malicious abusers as it is a basis for the TLD registries converging on a best-practice. It sketches a clear path along which we can proceed and highlights the urgency of our doing so. Determining whether or not that path is the best one for the gTLD registries to take (and if not, setting the alternative) is the next step in our constituency's action.

The Unicode draft is, however, nothing for the faint-hearted. The basis of IDN,is that every internationalized name exists in two formats, of which the one is displayed to the user in the full array of expected characters (Unicode), and the other is an encoded form (Punycode) that is only intelligible to purpose-designed software.

The initial design intent was for Punycode never to be revealed to users. However, a number of situations where it is, in fact, beneficial for a user to see Punycode have become apparent in the interim. One of them is that two names that may be graphically confused in their Unicode forms (the reason we're having this discussion in the first place) can readily be differentiated in Punycode.

I'll try to prepare a Punycode Primer over the weekend, which should make the Unicode draft more accessible. It is up to us to ensure that nobody feels the need for more drastic measures. Although an elegant mode for the parallel presentation of Unicode and Punycode remains to be developed, encouraging action toward that end is clearly in the interests of any agency striving to globalize the Internet. Conversely, there is also a need to quell what remains the clear risk of the proponents of an anglophone DNS deciding that since they don't want/need/trust IDN, nobody gets to have it.


Post a Comment

Links to this post:

Create a Link

<< Home