Erik van der Poel <[EMAIL PROTECTED]> wrote: > For IDN names, there are 2 different times: > > 1. registration time > 2. lookup time > > At each of these times, we start with textual symbols, give them codes > (Unicodes), perform nameprep and encode into punycode. After a lookup, > we might also display the name for the user.
Display time is independent of lookup time. For example, the domain names in the From: field of an incoming message is displayed, but not looked up. The mail application never looks up the name, even if a reply is sent; a separate application (the MTA) does that. In a browser, I might hover over a link before deciding whether to follow it, so that I can see the domain name. The domain name is not looked up at that point. We could consider advising all applications to start doing DNS lookups on such occasions, just to get extra meta-info (like language tags) to help display the name, but that seems too drastic, and there are still situations where it's nice to be able to use applications offline. > As far as I'm concerned, Unicode is an immovable object. There is > probably zero chance that anybody could talk them into getting rid of > look-alikes. Certainly. The upheaval would be tremendously prohibitive. > But what about the other parts of nameprep? Would it be possible > to add another kind of mapping to it, namely from homographs to > base characters? This would be a rather large change, and might > even require a new prefix (i.e. something other than xn-- to allow > migration). It would certainly need a new prefix. Also, names that get transported in ACE form and converted back to Unicode for display would probably take on a ransom-note appearance when single-script strings get nameprepped into mixed-script strings. > I don't really know whether this kind of change is realistic. I think not. > But, to me, all this just seems like we are foisting the problem on > the end-user. Why oh why should they see any of this? You might as well ask why they should see domain names at all. Maybe there's a way to abstract domain names out of the users' view altogether, but until then, if users are going to see domain names, they want to be able to tell whether the name they see is the name they think they see. > We could simply display the raw Punycode when the name is determined > to be phishy. Maybe it's just me, but this is not very satisfying. The name can be flagged by displaying the Punycode, or by using a bright color, or reverse video, or whatever. As someone already suggested, the ability to easily switch the display between the ACE and non-ACE forms would be helpful. > Can't we solve the problem upstream? We don't know how many misleading names have already been registered under .com and .net, so I don't see how we can completely solve the problem upstream. AMC
