International Domain Names

[Martin Atkins]

By using URLs as identity strings, OpenID is inheriting the quirks and
spoofing bugs that URLs have suffered recently, and will probably expose
them in new and interesting ways given that these URLs will be displayed
as part of an HTML document rather than in the address bar.

One that springs to mind is that I could theoretically register
livejоurnal.com (with a Cyrillic o) and then appear to any normal person
to be any user at livejournal.com. Consumers will probably all do
different things in response to this; some will probably end up printing
the expanded xn-- version, others might print out some UTF-8 octets
because their documents are declared as Latin-1, while some others will
end up just displaying it indistinguishably from the real livejournal.com.

What's to be done here?

Note that some people are likely to actually *want* non-Latin characters
in their identity URLs, which should also be considered. I think part of
this will end up being a recommendation for how consumers should deal
with and display IDNs. Non-latin characters could very well turn up in
the path and query string portions of the URL as well.

(It chould also include some more common sense stuff like remembering to
escape the identity URLs when including them in an HTML document; I'd
hope that all web developers would know this, but I know in my heart of
hearts that it isn't true.)