I think registries should be doing filtering, but I don't think browsers should depend on it, because it's already too late, as the paypal example proves. I think browsers (and in general, applications that receive domain names from untrusted sources and display them to the user as IDNs) ought to provide a second line of defense by trying to expose suspicious domain names.
I fully agree with Adam here. If there is no way to enforce registries doing the right thing (and ICANN has shown no ability to enforce nearly anything), then relying on them for security is silly. This is particularly true if some registries pay more attention to their customers who want to pay for mixed-script domain names than they pay to ICANN.
> ...assuming we can make the language tag available via some dns tricks orsome API...
I don't see that happening. The IDN working group decided quite deliberately that domain names would not contain any meta-info like language tags; they're just text strings.
Right. If you want to re-engineer the IDN bits-on-the-wire protocol in ways that were considered and rejected, feel free to submit a new Internet Draft and see if there is community interest.
Still, I expect that some not-terribly-complex heuristics, based only on the bare character strings, could go a long way toward exposing suspicious domain names.
Reducing phishing is sufficient because we can never eliminate it.
--Paul Hoffman, Director --Internet Mail Consortium
