On 23/02/09 17:58, Paul Hoffman wrote:
Jean-Marc, you have fallen for Gerv's wishful thinking and security theater. There are multiple TLDs on that list that have policies that say *nothing* about preventing homograph spoofing.
Every TLD on that list should have a published set of characters it permits and, if that set contains homographic characters, an anti-spoofing policy. If this is not true for one or more, please let me know.
You completely misunderstood my message: the failure is in Mozilla thinking that asking a registrant to say what language they are registering in will achieve any significant security. I laugh along with Eddy on this.
Mozilla does not think this. What makes you say we do? Unlike other browser's, Mozilla's anti-spoofing mechanisms currently do not rely on things like "no mixed scripts".
Again: it is not clear how you can say that www.éxample.com is unsafe but www.éxample.org is safe given what is said on that page.
The "rationale" section of this document explains very well why our policy and technical implementation is as it is:
http://www.mozilla.org/projects/security/tld-idn-policy-list.html Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
