Gerv, May I suggest the following additions?
Hostname U-labels to be displayed as Unicode SHALL NOT include confusable bidirectional text. [http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing] and [http://www.ietf.org/rfc/rfc3987.txt] a. Hostname labels SHALL NOT include left-to-right override characters. U+200E, U+202E b. Hostname labels SHALL NOT include both left-to-right and right-to-left characters c. Hostname labels using a right-to-left character must start and end with right-to-left characters, with the exception that labels using right-to-left characters may end with combining marks or numbers -Brad Hill On Thursday, July 5, 2012 1:37:54 AM UTC-7, Gervase Markham wrote: > As some participants may recall, our IDN TLD whitelist was created in > response to the "payp-cyrillic-a-l.com" incident of 2005. > > http://www.shmoo.com/idn/ > > Since that time, we have whitelisted over 50 TLDs after having inspected > their anti-spoofing policies. > > http://www.mozilla.org/projects/security/tld-idn-policy-list.html > > Recently, it was decided that a whitelist was not scalable in the face > of hundreds of new TLDs, and that we had to come up with a new approach. > We did, based on some suggestions from the Unicode Consortium: > > https://wiki.mozilla.org/IDN_Display_Algorithm > > The new criteria are not as strict as the old (for example, they can't > spot whole-script homographs (All-Latin "scope.tld" vs all-Cyrillic > "ѕсоре.tld"), but are the best we can do programmatically without a > manually-maintained whitelist, and without compromising other principles > (like "works somewhere => works everywhere"). > > Up until now, Verisign have not formally applied for inclusion in the > TLD whitelist, although preliminary discussions have occurred on more > than one occasion. Now, they have applied (for .com, .net and > ..name), and their current policies do meet the new criteria: > https://bugzilla.mozilla.org/show_bug.cgi?id=770877 > > However, given that it was a .com domain which started all this fuss, I > thought it was worth posting publicly in case anyone had any comments. > > Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
