May 13th, 2005

JiuZhaiGou Day 2

» ,

We managed to wrap up and conclude CDNC meeting by the morning (incidently, it is a good meeting – I am glad I am here!). So we decided to visit the famous 扎嘎瀑布 (Zhaga Waterfall) in the afternoon.

(you can see Prof. Qian waving if you look at the photo carefully ;-)
Read the rest of this entry »

May 12th, 2005


» ,

Woke up very early for CDNC meeting but what a view to wake up to:

cdnc-room-view-mini.jpg  cdnc-meeting-mini.jpg
(click here to see outside view)

Anyway, we have a long day. But it is worth it as we achieved a lot. Looks like we going to have an exciting time ahead ;-)

April 10th, 2005

IDN support in Microsoft IE 7


Wohoo! Microsoft IE 7 will have IDN support (via M.H. Blog)

E 7.0 will feature international domain name (IDN) support; transparent Portable Network Graphics (PNG) support, which will allow for the display of overlayed images in the browser; and new functionality that will simplify printing from inside IE 7.0, partner sources said. The new browser also will likely include a built-in news aggregator.

This is great news! Not sure if it because of JET Open Letter to Steve Ballmer is the reason for the inclusion (highly unlikely) but I hope the letter will help to make sure the feature stay there in the final release :-)

April 4th, 2005

JET Open Letter to Microsoft


Original in PDF format

Mr. Steve Ballmer
Chief Executive Officer
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399

Cc: Mr. Bill Gates
Chairman and Chief Software Architect
Microsoft Corporation
Cc: Mr. Michel Suignard
Senior Program Manager
Microsoft Corporation

Dear Mr. Ballmer, 

We, members of the JET (Joint Engineering Team), send this open letter to request Microsoft Corporation to implement IDN (Internationalized Domain Names) standards[1] in the next version of Internet Explorer.

JET was jointly established in July 2000 by the CNNIC, JPNIC[2], KRNIC, and TWNIC[3] to develop and implement IDN technology. JET is responsible for drafting RFC 3743 that is commonly known as JET Guidelines for Chinese, Japanese and Korean IDN. It is referenced by IANA Registry, ICANN IDN Guidelines and also is implemented by many domain name registries. 

IDN is a critical enabling technology that will make the Internet more useable and attractive to the majority of the Chinese, Japanese and Korean population who do not use English in their daily life. In fact, IDN is mentioned as one of the Declaration of Action of the World Summit of Information Society (WSIS).
Read the rest of this entry »

April 2nd, 2005

April Fool RFCs

» ,

While normal human beings celebrate April Fools by making publishing their transparent desktop picture on national newspaper, geeks publish standards like UTF-9/UTF-18 and Morality requirements for Routing. Look, geeks can be funny too! (ie, if you can understand the joke :-)

Anyway, IETF has a traditional to publish April Fool RFCs and I always watch out for them. But some of the April Fool RFCs are more then jokes. For example, RFC1149, an April RFC publish in 1990 talks about how to use carrier pigeons to carry IP packets. We have a great laugh during one of the IETF in 2001 when someone revealed they actually implemented it. Yes, they put packets into paper, put them on carrier pigeons and send them over! So thanks to that, RFC 1149 is now made a Full Standard :-)

Incidently, the UTF-9/18 joke reminded me of my UTF-5 Internet-Draft publish 5 years ago. No, UTF-5 was not a joke – it is was the proposal that got IDN Working Group started in IETF and also become the foundation of the ACE (ASCII Compatible Encoding) used in current IDN.

March 17th, 2005

IDN Parody on

» ,

Guilllaume Rischard setup a parody on using the IDN spoofing trick. He managed to get one registrar to register with a cyrillic S (U+0405) (ie :-)


Also check out Neustar website, the competitor to Verisign.

This actually started in #joiito a couple of weeks ago after the Eric published the spoofing attack paper. A joke was made that it would be funny if someone did it to and so he did.

I suppose I could rant why Verisign should adopt the JET Guideline (or ICANN Guidelines) but this parody would send a louder message.

Nevertheless, I am sure the folks in Verisign will react to this quickly.

The first would obviously fixing their own registration rules – if a student in UK can do this, this isn’t a good sign for them. Hopefully the fix will be consistent with the ICANN Guidelines :-) [btw, despite my rants against Verisign, I actually like the people work for Verisign – I still have friends (i hope) working there who is doing their best to do good things]

The second is how to deal with the parody site – Verisign isn’t know to have a great sense of humor so I fear for my friend – I taken the liberty to speak to Wendy from EFF just in case. IANAL but the only thing I could see Verisign has a case on is the domain name itself ( which is their trademark. The rest of the site have been made clear it is a parody – adapted from Neustar, who apparently have a great time laughing at the parody – or modified from Verisign in such a way no one would be ‘reasonably’ confused.

I suppose they could initiate a takedown notice under DMCA. But that would be interesting – how do you initiate a takedown notice on yourself :-)

They could get their army of lawyers to send threatening letters to Rischard to take it down – but that would only be PR disaster for them and would further attract more attention to the site.

Or alternatively, they could just send a polite email to Rischard to ask him to take it down – Rischard is doing this for a laugh, not looking for a fight so he might afterall.

February 15th, 2005

Don’t disable IDN


I couldn’t put it better so I won’t. From Paul Hoffman:

Reading the ensuing Slashdot and other coverage gave me the feeling that nearly everyone talking was from the US, UK, or Australia, the three countries that have the least native need for IDNs.

It also became clear that few of the folks in the discussion knew much about Unicode (and, in some cases, the DNS…). Suggestions like “find all the homographs and map them together” and “ban all domain names that have more than one language in them” reminded me of discussions four years ago with people who were also unfamiliar with the basic topics but felt empowered to speak anyway.

For completeness, I should explain why both of those proposals are silly. The number of homographs in Unicode is in the thousands under the best of situations, and much higher in the worst…

Banning all domain names with more than one “language” would ban names that include both non-ASCII and ASCII characters. This ignores how deeply English and French have mixed with other languages; it is common to find businesses with the word “shop” or “café” in their names throughout the world…

Given that the problem is that domain names with more than one script can cause homograph confusion, the solution should highlight names that have more than one script and say what script the characters come from. This can be done with a hover-over pop-up like this:


It is clear that what would be best is that the proposed solutions come from people who have both a reasonable understanding of internationalization and a reasonable amount of care about languages other than English.

February 8th, 2005

IDN and homographs spoofing


There is a published spoofing attack using homographs IDN. By using a Cyrillic SMALL LETTER A (U+430), Securnia is able to pretend to be

Actually this is well-documented in RFC 3490 under the Security Consideration:

To help prevent confusion between characters that are visually similar, it is suggested that implementations provide visual indications where a domain name contains multiple scripts. Such mechanisms can also be used to show when a name contains a mixture of simplified and traditional Chinese characters, or to distinguish zero and one from O and l. DNS zone adminstrators may impose restrictions (subject to the limitations in section 2) that try to minimize homographs.

The problem is that many of the current IDN implementations did not provide any indication that it is an IDN names (instead of a normal one). In fact, Mark Davis1 published a snipplet of code to demostrate how to do despoofing in 2002.2

But the fact Secunia is able to register (with Cyrillic a), ie begs a question – why are they able to do so?

Even though we have been asking Verisign registry to implement RFC 3743 (aka JET Guidelines) or to follow ICANN IDN Guidelines (specifically on language tag) for many years, they have not done so, and instead opt to allow any IDN strings to be registered. This homographs spoofing attack would not be possible if Verisign have done appropriate step to associate each registered internationalized domain name with one language or set of languages and employ language-specific registration and administration rules that are documented and publicly available (as recommended by ICANN IDN Guideline).

Now, given Verisign is a security company, the “Trust Company”, and they have been following the IDN standardization work from the beginning, I am sure this is well-known to them. Lets hope this report will help change their position before a real phishing attack occurs.

1 Mark Davis is the president of Unicode Consortium.

2 Updated 18th Feb: Found a better and working example.

Update: Mark Davis poined out a UTR #36 Security Consideration for Implementation of Unicode and other Related Technologies.

Ben Laurie pointed out I have incorrectly attribute the IDN spoofing to Securnia – it was Eric Johnson.

December 17th, 2004

Chinese IDN in the news


[Update 21st Dec: This article is also syndicated to CircleID] published a well-research article on the Chinese Domain Names by Winston Chai.

This approach works fine in the English-savvy world. However, for non-English speakers, they could be faced with the unenviable task of rote-learning numerical IP addresses, which is highly improbable, or the English spellings of dozens of Web sites they want to access.

Just a few point of interest

1. It sound like Winston got some of his material from Dr. Tan.1 At least, that’s sound suspicious like what Dr Tan would say. :-)

2. While it is pretty well written, some of the information are abit outdated. For example, Verisign and i-DNS stuff are really old news (2001).

The newer stuff like the various IDN deployments in CJK (e.g. CNNIC), the open source effort in Mozilla, Konquerer and IDN-OSS, or adoption of IDNs in Safari and Opera etc wasn’t discussed. (See IDN Software for more info)

Neither did it mention the JET Guideline for CJK which is an important work and milestone for Chinese Domain Names.

3. The “representative” mentioned in the article is Prof. Qian Hualin. Prof Qian is currently the Chief Engineer of CNIC (ISC is an organization under CNIC). Prof. Qian is also the board member of ICANN.

Despite Prof. Qian enthusiasm by the promises from Ballmer, I think Microsoft will take at least 12 months (but latest by Longhorn) to get IDN support into Internet Explorer. This was what Michel (Microsoft) essentially said during the ICANN IDN panel two weeks ago in Cape Town.

Oh one more thing,

While foreign IT vendors are going local, top-level support for implementation and education on IDNs, however, seems lacking, as efforts have been sporadic to date. At a time when things are moving at Internet speed, isn’t seven years too long a wait for IDNs to come to fruition?

As one who been driving IDNs for the last five years, I say ‘Amen’.

ps: The reporter also made a minor mistake when saying IETF is the engineering arm of ICANN. ISOC is the “parent” organization for the informal IETF.

1 [Update 17th Sept] Okay, apparently Winston did try to contact me for the article but we never hooked up as I was in Cape Town in ICANN then.

December 2nd, 2004

Proposal to implement IDN TLD

» ,

During the breakfast pre-panel discussion, a few of us were sitting around and discussing IDN Top Level Domains (TLDs). Normally, such debates goes no where but surprisingly, we actually got some agreement this time!

The first thing we note is that there is no perfect solution. Every proposals has some problems – it does not work with ccTLD; it breaks gTLD; it does not handle minority languages/scripts; it has collision with other languages; etc. So we should just try to find a solution which has the least amount of pain, so long it works, can scale and can be implemented reasonably.

Another thing to note is that gTLD, sTLD and ccTLD are very different from one another. It is unlikely we can find a solution that works for all type TLD. We should tackle them individually and differently.
Read the rest of this entry »