1. I'm glad you recognize I am not advocating an enforcement regime. And I like consensus when we can get it. But I also don't mind market-based regimes with clear disclosure and labelling; in a managed space with artificial scarcity like the TLD-space, one way to get that is to increase supply. I recognize that some people are nervous about that, but it doesn't seem to dennigrate those concerns to also note that there can be advantages.
2. I do, however, disgree with the assertion that the gTLD space we have, or even the gTLD + ccTLD space, is a well-functioning competitive market at the registry level for reasons including first-mover advantages, locking, arbitrary semantic choices imposed by the regulator (ICANN) and so on. I could go on, or cite academic papers, but I know that you and the others who care have heard the arguments. I thus also think that in this environment there is little one can infer by registration patterns, which are driven by other things.
3. If we want or hope for innovative marketing or differentiation of gTLDs, the most likely way to get them is to create new ones. The IETF, and if memory serves you prominently among its active members, has expressed scepticism about this idea on many occasions.
4. The idea for an informational RFC in this area is no odder than, say, RFC 3675 (which is not intended as a comment on the merits of that document, but just a comment about its scope as it relates to the scope of this idea)...or even, dare I say it, RFC 3071.
5. I agree there would be a substantial drafting challenge to be overcome.
On Thu, 17 Feb 2005, John C Klensin wrote:
--On Thursday, 17 February, 2005 12:53 -0500 "Michael Froomkin - U.Miami School of Law" <[EMAIL PROTECTED]> wrote:
Assuming we can't cut ICANN out of the picture, isn't one solution to lobby ICANN to allow for new TLDs with policies that forbid misleading IDNs and let the marketplace sort it out?
Michael,
"Misleading?" Why should IDNs be any different from ASCII-only labels? "M1CR0S0FT" would certainly be a "misleading" label from the point of view of the obvious company, but the community concluded, long ago, that problem should be dealt with by UDRP procedures or court action, not having some registry make up rules about what can't be registered based on what someone else thinks is "misleading".
For the special case of mixed-script labels, ICANN already has guidelines in place that requires gTLDs who choose to register IDNs to limit any given label to a single "language" or small set of languages. Those guidelines are, IMO, badly written and ambiguous and need fixing, but, as far as I know, all of gTLDs except two are conforming to those guidelines and, in particular, not permitting registrations of strings for which they don't have established language tables. The registry for the other two has apparently decided, partially for historical reasons, to go ahead and register almost anything that doesn't match a language for which they already have tables... a topic that has been discussed on this list already.
The ccTLDs which have decided to deploy IDNs and who are not bound by those guidelines, have, by and large, adopted registry restriction rules that are intended to prevent mixed-script and other types of IDN-baesd misleading names when feasible. Some of them are based on "characters in use in our territory" and "names we need to be able to represent in order to assure fairness" rules, rather than strict language or script rules, but I suggest they are still within the general intent of preventing misleading mixed-script labels when possible. While policies differ, most of the ccTLDs, and an even larger majority of those operated to support DNS use in the relevant country, are consistent with the general spirit of the ICANN guidelines.
Some of us continue to believe, I hope consistently, that conformance based on consensus and conclusions that it is the Right Thing to Do is much better than trying to devise an enforcement regime. I know you didn't suggest an enforcement regime, but others in this discussion have come pretty close. And, for prohibitions on registration of mixed-script misleading names, the worldwide conformance level, among TLDs that have deployed IDNs, to the general principle is fairly high.
As far as the marketplace sorting this out, I suggest that the marketplace has already spoken, without any requirement to make up new TLDs to seek a stronger message. We have TLDs (country code and generic) who prohibit IDN registrations. We have TLDs (again, both groups) who permit IDN registrations only if languages are identified and script rules carefully adhered to. And we have TLDs who permit registration of almost anything permitted by IDNA, either explicitly or through some loophole. What I haven't seen, before or after this latest phishing-possibility demonstration, is a single instance of an advertisement or press release that says "you should register in our domain rather than theirs because our permitted-label rules are more restrictive and hence will give you and your users better assurances that they aren't being phished". Nor have we seen any symptoms of registrations migrating spontaneously among domains to reflect those concerns. If the marketplace has any intent of speaking to this issue --or "sorting things out"-- it is doing so in a whisper.
I am a little depressed by that. I'd be much happier to see "our domain is safer than their domain" ads and positive responses to them, just as I would have been happy to see "register in our domain because we promise to never try to divert the typing mistakes of your users to your competitors" a year or so ago. But they don't happen. And, using the second case as an example, there is zero evidence that it has had any marketplace effect on registrations. The marketplace for registrations just doesn't seem to care, and we don't need more TLDs to tell us that.
Maybe the IETF could issue a statement of some sort on the security implications of failing to allow such TLDs into the marketplace?
For the mixed-script case and some related ones, such TLDs are already in the marketplace and are actually the large majority of TLDs. There is a reason why that paypal example didn't show up in AERO, BIZ, CH, CN, DE, INFO, INT, JP, ORG, SE, TW, and a host of others -- it could not have been registered, either because the registry prohibits mixed-script registrations or because it is going slowly about IDN deployment, wanting others to get more experience first.
So what would you like the IETF to say, exactly? "Domains that are being cautious about registrations should advertise the fact better"? Not exactly an IETF-type statement. "Guidelines that prevent obvious abuses are good"? The IETF has already said essentially that -- see the "IESG Statement" on IDNs -- and most of the TLD registries are doing it as they deploy IDNs. Or perhaps "200 plus domains are already proceeding safely in this area so security requires that we add a few more who will too"? Doesn't pass the laugh test, at least from where I sit.
best, john
-- http://www.icannwatch.org Personal Blog: http://www.discourse.net A. Michael Froomkin | Professor of Law | [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm -->It's cool here.<--
