On 22/02/09 21:56, Paul Hoffman wrote:
I think part of what's going on here is a confusion between CAs and
domain name registrars. IIRC there was indeed some sort of
agreement among domain name registrars to implement special
checking for internationalized domain names.
There was no such agreement. TLD registries ask which language a name
is in; some then do some filtering based on what characters they
think are used by particular languages. This is far from a science
and fails miserably for most European languages.
The security of our anti-spoofing measures does not rest on any sort of
"language" being associated with a name, or any filtering that may be
done on that basis. It rests on each registry having a list of
characters which are the only ones it permits and either:
a) that list not having any homographs; or
b) them having a list of which characters are homographic to each other
and an anti-spoofing policy the deploy whenever a domain name with one
of any pair is registered.
All the registries added to the list had this when they were added. As I
said in my previous message, if you know of a registry which no longer
meets these criteria, please let me know.
It will be interesting to see if he has anything to say about CAs,
who are the real security concern here.
CAs are irrelevant to spoofing issues. If www.something.com is a
homograph for www.someth1ng.com, that's a bad thing irrespective of
whether the owners of each of the two domains can get a certificate for
them.
Gerv
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
