Hi Dan, Sorry for the delay here.
On 05/07/12 16:39, Daniel Veditz wrote: > On 7/5/12 1:37 AM, Gervase Markham wrote: >> Recently, it was decided that a whitelist was not scalable in the face >> of hundreds of new TLDs, and that we had to come up with a new approach. >> We did, based on some suggestions from the Unicode Consortium: >> >> https://wiki.mozilla.org/IDN_Display_Algorithm > > Big thanks to you and Simon Montagu for driving this forward! > > Given that the new criteria are not as strict as our old policy, why > would we want to preserve the old whitelist system in parallel? The new policy is tighter in some ways; as you say, it applies to all levels. We also wanted to avoid any nasty surprises. I'm not ruling out removing the old system later, but it's simple (only a few lines of code) and I wanted to make sure this change didn't break any previously-working sites. > If there were any such edge-case domains would they be shown as IDN > in any of the other browsers (besides Opera who uses the same > whitelist mechanism)? Everyone does it differently, even Opera (different whitelist, plus it also has some heuristics as well). > What's the time-frame on the new IDN algorithm? Sounds relatively > close so why not let them just start working when that lands instead > of whitelisting them? Because I don't want to gate making things better for IDN-in-.com users on the completion of a patch I'm not writing. Also, we can check in a TLD whitelist change on beta pretty easily; we can't port a patch forward that far. > Have they revoked all the previously spoofing domains? The Paypal one now belongs to paypal. > Have they > audited all their existing domains to make sure there aren't > additional ones in there that violate their new rules? What is their > transition plan for the domains that do exist? Good questions; I will ask. > Their new rules going forward sound fine, it's any grand-fathered > mess I'm worried about. I'm especially worried if you proceed with > your currently stated plan of preserving the whitelist even after > the new algorithm lands. I could revert the whitelist to its state pre-new-plan once the new algorithm lands, if that would be better. (I.e. remove the ones included under transitional arrangements.) Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
