Eric Johanson <[EMAIL PROTECTED]> wrote: > Are you sure that it's the registrars/TLDs/etc whom should be doing > this filtering?
I think registries should be doing filtering, but I don't think browsers should depend on it, because it's already too late, as the paypal example proves. I think browsers (and in general, applications that receive domain names from untrusted sources and display them to the user as IDNs) ought to provide a second line of defense by trying to expose suspicious domain names. > Because this 'language tag' is only available to registrars (when I > say registrars, I mean anyone involved with the registration of a > new domain, on any TLD), I suspect it makes it impractical to do the > filtering at the browser/application level. I don't see why. > ...assuming we can make the language tag available via some dns tricks or > some API... I don't see that happening. The IDN working group decided quite deliberately that domain names would not contain any meta-info like language tags; they're just text strings. Still, I expect that some not-terribly-complex heuristics, based only on the bare character strings, could go a long way toward exposing suspicious domain names. AMC
