On 7/5/12 1:37 AM, Gervase Markham wrote: > Recently, it was decided that a whitelist was not scalable in the face > of hundreds of new TLDs, and that we had to come up with a new approach. > We did, based on some suggestions from the Unicode Consortium: > > https://wiki.mozilla.org/IDN_Display_Algorithm
Big thanks to you and Simon Montagu for driving this forward! Given that the new criteria are not as strict as our old policy, why would we want to preserve the old whitelist system in parallel? The big flaw in the whitelist policy was that a registrar's policy applied to the domain labels directly issued by that registrar but not to any sub-domains created by the domain owner. Those sub-domains could be as many levels deep and as spoofy as they'd like. The new algorithm, in contrast, applies to each label separately and will prevent spoofy sub-domains. If the stated policies of the currently whitelisted TLDs fall within the new algorithm let's just scrap the whitelist. Even if some small percentage of edge-case domains end up being flipped to punycode the code and policy simplification on our end will be worth it. If there were any such edge-case domains would they be shown as IDN in any of the other browsers (besides Opera who uses the same whitelist mechanism)? > Now, they have applied (for .com, .net and .name), and > their current policies do meet the new criteria: > https://bugzilla.mozilla.org/show_bug.cgi?id=770877 What's the time-frame on the new IDN algorithm? Sounds relatively close so why not let them just start working when that lands instead of whitelisting them? > However, given that it was a .com domain which started all this fuss, I > thought it was worth posting publicly in case anyone had any comments. Have they revoked all the previously spoofing domains? Have they audited all their existing domains to make sure there aren't additional ones in there that violate their new rules? What is their transition plan for the domains that do exist? Their new rules going forward sound fine, it's any grand-fathered mess I'm worried about. I'm especially worried if you proceed with your currently stated plan of preserving the whitelist even after the new algorithm lands. -Dan Veditz _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security