International Domain Names

Brad Fitzpatrick brad at danga.com
Mon Jun 27 20:35:41 PDT 2005


I talked to Mart about this in another forum:

When we start to render xn-- to utf-8, we'll be using a library to loudly
highlight characters adjacent to other characters of different Unicode
ranges.

So it'd look like:

  brad [livej!=o!urnal.com]

To indicate that the "o" was in a different Unicode range than the "j"
and/or "u".

So it does that without penalizing real non-abusive IDNs.

But this is a little off-topic for this list.  I know that French guy is
going to start screaming that the web is insecure and we should all run
for the hills, but I'm a little more optimistic that these problems are
tractable.  :-)

- Brad


On Tue, 28 Jun 2005, Martin Atkins wrote:

> By using URLs as identity strings, OpenID is inheriting the quirks and
> spoofing bugs that URLs have suffered recently, and will probably expose
> them in new and interesting ways given that these URLs will be displayed
> as part of an HTML document rather than in the address bar.
>
> One that springs to mind is that I could theoretically register
> livejоurnal.com (with a Cyrillic o) and then appear to any normal person
> to be any user at livejournal.com. Consumers will probably all do
> different things in response to this; some will probably end up printing
> the expanded xn-- version, others might print out some UTF-8 octets
> because their documents are declared as Latin-1, while some others will
> end up just displaying it indistinguishably from the real livejournal.com.
>
> What's to be done here?
>
> Note that some people are likely to actually *want* non-Latin characters
> in their identity URLs, which should also be considered. I think part of
> this will end up being a recommendation for how consumers should deal
> with and display IDNs. Non-latin characters could very well turn up in
> the path and query string portions of the URL as well.
>
> (It chould also include some more common sense stuff like remembering to
> escape the identity URLs when including them in an HTML document; I'd
> hope that all web developers would know this, but I know in my heart of
> hearts that it isn't true.)
>
>


More information about the yadis mailing list