John,
John C Klensin wrote:
So my conclusion is that we need a mixed protocol-registry-browser strategy. That strategy, IMO, should shifted the processing burdens as much as possible to the first two. And I think that notions that the problem can or should be solved in any of those three places alone are probably misguided.
I strongly agree with everything you said. I am sorry if I gave the impression that the browser implementors are the *only* people that can and should address this IDN phishing problem. I don't think I said that, but maybe I'm just not very good at email and/or expressing myself. I also agree that the burden should be shifted as much as possible to the first two. It would be bad if the many implementations all did it differently.
I would only add one component to your strategy. It should be a Unicode-protocol-registry-browser strategy. Unicode has already started working on their part:
http://www.unicode.org/reports/tr36/
Erik
