These ideas have been considered by Mozilla:
http://weblogs.mozillazine.org/gerv/archives/007556.html
However, Mozilla's IDN market share may not be as big as the others', so its decision may not affect IDN deployment much. MSIE doesn't support IDN to begin with. There are some plug-ins for MSIE to support IDN, so their decision might have more effect than Mozilla's:
http://support.microsoft.com/?kbid=842848
Let me point out that one of those plug-ins is made by VeriSign itself. Since VeriSign is such a big company, their IDN plug-in may have the largest market share. I haven't seen any numbers.
But what will VeriSign decide to do in their plug-in in response to this IDN spoofing issue?
I think I agree with you, however, that the more sophisticated heuristics can be developed later.
Erik
Adam M. Costello wrote:
Here's an idea for a quick-and-dirty enhancement to existing applications: Rather than disable IDNA entirely (which is quick but too dirty), or flag all IDNs (almost as quick but still too dirty), just flag all IDNs in .com and .net. This would be significantly less damaging to IDN deployment (which could proceed unhindered in the other TLDs, particularly the ccTLDs), but is still extremely simple and could be rolled out immediately while more sophisticated heuristics are developed.
