[Cryptography] Typesetting vs. identifiers, On those spoofed domain names...

[John Levine]

In article <20180310003710.GC3057 at localhost> you write:
>What happened is that human scripts and human politics are not simple,
>and precluding all homoglyphs was a) never part of the UC's mission, b)
>never plausibly and politically going to be part of the UC's mission.
>Yes, CJK unification was a thing, but only for CJK, and it failed
>politically.

Right.  The original and I think still primary goal of Unicode is to
be a typesetting language.  It does that quite well.  I can compose a
message on my phone with, say, emoji of a princess with medium dark
skin waving an Italian flag, and it'll display on a wide range of
devices as recognizable princess and flag.  It is also true that emoji
make horrible identifiers since princess and girl emoji look almost
the same, and adjacent skin tones (there are five) look almost the
same and if you have lousy color vision, Italian and Irish flags look
almost the same.  All this means is that the set of Unicode strings
suitable for identifiers is much, much smaller than the set of all
Unicode strings.

>There's no need to cry over this.  Instead we need to demand that
>registrars prevent registration of domains that are typo-, font-, and/or
>homoglyph-confusable.  We also need to write code that does fuzzy
>confusable matching.

Also right.  If you bother to learn about normalization and IDNA and
PRECIS and label generation rules, you can come up with usable subsets
of Unicode for identifiers.  It's not perfect as the Krebs article
rediscovered; you can't totally avoid homoglyphs, but that is not new
(MICR0SOFT and paypaI) and there are ways to mitigate the damage.

Unfortunately, as we saw in recent exchanges here, some people want
Unicode to be easy ("just give me a list of homoglyphs") and in the
DNS world, there are perverse incentives to sell as many 2LDs as
possible, regardless of how unsuitable they are as identifiers.

R's,
John