> From: Brian E Carpenter [mailto:[EMAIL PROTECTED]
> > For example, what homograph rules apply to what domains? Are the
> > rules per-TLD or some other granularity? What are the appropriate
> > rules for GTLDs, since they don't have a native language other than
> > the de-facto English? If there are new TLDs with
> translations of existing TLD names.
> > e.g., business in Arabic and Chinese, are these aliases for .COM or
> > .BIZ, or are they different? If people have registered ASCII
> > approximations of names, e.g., letters without
> diacriticals, do they
> > get first crack at the correctly spelled IDN with the diacriticals?
>
> In that context, RFC 4690 is thought-provoking.
I think that you are looking for solutions that are not possible.
>From the Internet crime point of view we have been dealling with homographs
>ever since phishing was noticed as a problem five years ago. www.micr0soft.com
>is a homograph in the ascii space.
There are three types of directory service:
1) Signalling
Connect to a network resource by means of an unambiguous identifier
that may (DNS) or may not (telephone number) be menemonic.
2) Discovery
Connect to a network resource by entering in a name or description.
Examples: Google.
3) Authentication
Verify the real world identity of the network resource, Example
VeriSign Class 3 certificate, EV certificate.
The DNS is designed to do the first, is a passable approximation to the second
and inherently misleading for the third. We still have the
accounts-bizybank.com type lookalike name to worry about.
This is a social and process problem. The technical approach of looking for bad
names is unlikely to work.
There are some folk in Sao Paulo who will be proposing that all DNS
registrations (not just I18N) be required to be authenticated. Its not a viable
proposal since 98% of the signalling applications that the DNS is designed to
support do not require authenticated addresses.
A much better solution that would meet the needs of registrars and phishing
targets much better would be a simplified challenge procedure that could only
be used in the first five days after a registration.
If a name was challenged it would be immediately suspended. But the suspension
would be immediately lifted as soon as the registrant provided a verified
address at which service could be effected for the UDRP or civil process.
In other words we do not require an authenticated address unless there is an
objection.
The mechanism would of course need to be carefully protected with safeguards to
avoid abuse. I would suggest a very subtantial bond and a significant fee per
use.
The advantage to the phishing targets is clear. There is also a substantial
advantage to the registrars whose principal challenge at the present time is
chargebacks from stolen credit card numbers used by phishing gangs to buy names
to be used in phishing attacks.
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
