Consider a domain name containing a slash-homograph.
As it stands, IDNA section 3.1 requirement 3 tells applications that they "SHOULD" display the non-ACE form. The security considerations section, much later, "suggests" that applications provide visual indications of various anomalies (from which one could extrapolate that the slash-homograph would benefit from a visual indication).
Right.
I think we've seen that these security concerns need to be less buried,
Fair point, but it's not like that if we had put them in section 3.1, all browser makers would have done anything about them. From the testing we did a while ago, it's clear that a fair number of browser makers didn't even read the normative parts of the spec.
that "visual indications" are too burdensome on implementations,
Fully disagree. We haven't seen anyone actually try visual indications, and some have said that they are working on them. They may not want to do them, but most of them didn't want to do IDNs either.
and that in some cases (like this one) the recommendation to display the non-ACE form ought to be withdrawn, or even reversed (that is, recommend the ASCII form).
Question: when faced with an incomprehensible domain name with no visual indications, do you think that typical users will know what to do, or even what to be cautious of? Hint: think about what typical users do with SSL certificate warning dialogs.
We're trying to deal with a security issue: obscuring it won't make it useful to users, nor will it make them cautious, just confused.
d) If the non-ACE form contains any character outside Unicode
categories L (letter), N (number), and M (mark), other than
U+002D hyphen-minus, the ACE form SHOULD be shown.
This is quite a reasonable attempt at picking good characters. It won't eliminate homographs by any matter of means, but it is a reasonable narrowing.
Thoughts?
At first glance, it is a reasonable way to choose between unadulterated Unicode and ACE display. However, it is based on a very unproven assumption, namely that there isn't any other visual assistance that we can suggest.
Adam: could you think more about it and see how it would look if thought visual assistance was an option?
--Paul Hoffman, Director --Internet Mail Consortium
