On 13/10/12 23:37, Dan Veditz wrote:
I'm only a little concerned about grandfathering. I _am_ concerned that the whitelisting mechanism supersedes the proposed algorithm and allows for arbitrary charaters on labels above the level of the domain that the registrar issues and can vet.
Not arbitrary; we still have our character blacklist for protocol-alike characters, and IDNA2008, when we implement it, will further restrict the allowable set. As long as people can't make one domain component look like two, or two like one, then people should only be able to mess with people inside their own Public Suffix + 1.
Can we do a hybrid system, where for whitelisted TLDs we accept registered domains as found and then apply the algorithm to the rest of the labels (effectively eTLD+2, though I don't know if we want to drag the public suffix list into this).
Hmm. Possible, but certainly more confusing. Ideally, the TLD whitelist would go away eventually. I don't want to rip it out as the new algorithm comes in because there's a higher risk of breaking people's currently-working domains by mistake.
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
