As some participants may recall, our IDN TLD whitelist was created in response to the "payp-cyrillic-a-l.com" incident of 2005.
http://www.shmoo.com/idn/ Since that time, we have whitelisted over 50 TLDs after having inspected their anti-spoofing policies. http://www.mozilla.org/projects/security/tld-idn-policy-list.html Recently, it was decided that a whitelist was not scalable in the face of hundreds of new TLDs, and that we had to come up with a new approach. We did, based on some suggestions from the Unicode Consortium: https://wiki.mozilla.org/IDN_Display_Algorithm The new criteria are not as strict as the old (for example, they can't spot whole-script homographs (All-Latin "scope.tld" vs all-Cyrillic "ѕсоре.tld"), but are the best we can do programmatically without a manually-maintained whitelist, and without compromising other principles (like "works somewhere => works everywhere"). Up until now, Verisign have not formally applied for inclusion in the TLD whitelist, although preliminary discussions have occurred on more than one occasion. Now, they have applied (for .com, .net and ..name), and their current policies do meet the new criteria: https://bugzilla.mozilla.org/show_bug.cgi?id=770877 However, given that it was a .com domain which started all this fuss, I thought it was worth posting publicly in case anyone had any comments. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
