Re: IDN spoofing

George W Gerrity wrote:

> For the second-level (or third-level where the top is a country code) 
> domain tag, it should be the legal responsibility of the name 
> authorities for the domain above to ensure that spoofed names cannot 
> be registered (or if registered, all belong to one owner). In the 
> Western world, if that is not already the case, then I'm sure that the 
> first time a spoof of, say Coca-Cola (or Pepsi — let's be even-handed) 
> is registered, then we can be certain that afterwards, the issuing 
> authority will never do it again.

While it is true that TLDs are responsible for preventing the 
registration of spoofs, commercial TLDs that have automated registration 
systems never perform that check. Does registering coca-cola.com prevent 
someone else from getting coca-co1a.com?

> In the case of countries whose law systems are still a bit wild and 
> wooly (The former Soviet Union?), then I suspect that for the time 
> being it will remain ‘Caveat Emptor’. In either case, a domain name 
> holder should be able to license all spoofs for free, in order to 
> limit its exposure to spoofing, whether or not there is adequate legal 
> recourse.

If the TLD operator is careful, there is no need to license spoofs to 
protect one's domain from being spoofed. On the other hand, if the TLD 
does not even perform that check (such as .com), then it is unlikely 
that you get to license all spoofs for free anyway - you have to pay for 
each and every permutation of it.

>
> The point I'm making is that while the authorities for .com.au or 
> .com.ru may do what they like, we can at least give them advice plus 
> some tables that will detect many, if not most, spoofs. In the case 
> where the authority allows (for whatever reason) a name with mixed 
> orthographies, then clearly the first to apply whose signature is not 
> a spoof for an (already well-established) trade-marked name or domain 
> name, should get the license, and all other applicants with a similar 
> name be refused. The name authority should be protected by the laws of 
> the countries in which it operates from being sued for refusing to 
> register confusable names.

This is a fairly interesting proposal, i.e. to use the bundling (see 
draft-klensin-reg-guidelines or rfc3743) to solve the homograph problem 
at the registry level, provided we can come up with a satisfactory table 
of lookalikes.

As an example, the word "coke" can be represented completely in Cyrillic 
homographs, so one can generate 16 combinations of ASCII and Cyrillic 
characters forming strings that look like "coke". When you register 
"coke.com", the other 16 variants are automatically tied to this domain 
(for free or for a fee). They can be either all activated (put into the 
zone file) or simply blocked from registration.

The good thing about this is that the lookalikes mapping table does not 
have to be set-in-stone at the protocol level, but individual registries 
may choose to implement whatever makes sense for them.

The problem with this is that the number of variants gets out of hand 
pretty quickly, and most registry systems aren't equipped to deal with 
bundles.

wil.