[Gnso-ssr] Broken TMCH?

Kal Feher Kal.Feher at ariservices.com
Fri Feb 21 06:55:19 UTC 2014 

Comments in line.


On 2014-02-21 00:43, Kal Feher wrote:
> I find these kinds of vague assertions troubling.

The statements where made during a telephone conference between SO/AC/SG chairs, and is copied text from the telephone conference adjacent chat room. They are definitely not conclusive descriptions of the situation.
KF - point taken, but vague assertions to dire consequences in any stakeholder forum are of little use to the community and should be discouraged.

What people also should have a look at to know the status of advice is the tracking mechanism for advice to the board. You can find the tracker here for the TMCH issues:


KF - Frustration at a lack of progress should not automatically translate to advice not to adhere to your Registry Agreement. I think some perspective is required.

<https://www.myicann.org/board-advice#advice-to-board_f=tmch&advice-to-board_d=false>

> The advice linked in the email is generic advice regarding LGRs. I'm 
> not clear how a malign TMCH label can cause harm in a registry with 
> label generation rules that enforce homogeneity and prevent cross 
> language/script homographic attacks.

Please see the SSAC report.
KF - I reiterate that it is generic and lacking any actual detail, especially with regards to security or stability issues. There's a suggestion (recommendation 10) to clarify roles, which is certainly a good idea, but hardly catastrophic if not implemented and has little value in preventing homographic attacks. recommendation 11 applies to registries not the TMCH and recommendation 12 will help TMCH clients get the names they actually want, but again no security or stability risks. Are they buried somewhere else in the report?

KF - I think the TMCH should certainly be improved, I have a list of gripes that would keep IBM busy for years, but we should be clear about risks and impact. I see plenty situations in which TMCH clients will not receive the result they expect. But there doesn't appear to be any security or stability risks that can be coherently described. Certainly none in the report.

> Is this advice for Registries that
> aren't using effective LGRs? Is this advice for the TMCH being sued 
> because said malicious registrant can't actually use their SMD 
> effectively (because registries prevent the label)? Is this a legal 
> risk or a risk to infrastructure or DNS consumers? Are we going to 
> address legal risks on this mailing list?

The SSAC document point out that the matching rules used in the TMCH are not the same as the combination of matching rules plus variant rules, specifically for non-ascii scripts.

KF - Irrelevant. Homographic attacks require an actual registration. Either a registry's LGR's prevent it or they don't. for the TMCH it is more a failure of user expectations, which should not be conflated with an attack. It is important, but should be addressed separately.

KF - What of the registries that should be EBERO'd? If true it is of serious concern, if not true we really need to tone down the hyperbole.

   Patrik

More information about the Gnso-ssr mailing list