<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1535743709491_18005"><span id="yui_3_16_0_ym19_1_1535743709491_18004">I would like to suggest that we expand on Dennis' draft a bit. Perhaps with the following text added.</span></div><div id="yui_3_16_0_ym19_1_1535743709491_16652"><div id="yui_3_16_0_ym19_1_1535743709491_16868"> </div><div id="yui_3_16_0_ym19_1_1535743709491_17638">*************************************************************************************************************************</div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_17791">It may be helpful in clarifying matters if the IP could address a few actual examples for us. We are all clear that <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_17639">o and ỗ 006F and 1ED7<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_17640">are sufficiently different to not even be confuseable. On the other hand <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_17641">ə and ǝ 0259 and 01DD<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_17642">are pixel for pixel identical. (It should be noted, we have been presented with an argument that even they are not variants.)</div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_17643"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_18592">So, where in between does the threshold for variants lie: <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_18593">ı and ɩ 0131 and 0269<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_18890"> The difference is on the order of that between different fonts.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_19132"> Variants or "merely visually similar"?</div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_19134"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_19280">ă and ǎ 00E1 and 01CE</div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_19691"> The difference is small enough that, at normal (12 point) type size, the eye cannot distinguish. <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_19942"> Variants or "merely visually similar"?</div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_19135"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_20142">j and į 006A and 012F</div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_20785"> Outside the fraction of a percent of users who have encountered the latter previously, it wouldn't occur to anyone that the latter was anything except a letter J. <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_20786"> Variants or "merely visually similar"?</div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_20793"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_20792">ü and ű 00FC and 0171 <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_21293"> Variants or "merely visually similar"? </div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_21294"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_21371">m and rn 006C and 0072 plus 006D <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_21792"> Variants or "merely visually similar"? <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_22202"><br></div><div id="yui_3_16_0_ym19_1_1535743709491_22207" dir="ltr">k and ƙ 006B and 0199<br></div><div id="yui_3_16_0_ym19_1_1535743709491_22208"> Variants or "merely visually similar"? <br id="yui_3_16_0_ym19_1_1535743709491_22214"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_22215"><br id="yui_3_16_0_ym19_1_1535743709491_22216"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_22205">p and þ 0070 and 00FE<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_21783"> Variants or "merely visually similar"? <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_23516"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_23718">d and ɗ 0064 and 0257 <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_23720"> Variants or "merely visually similar"? </div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_22833"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_23097">õ and ō 00F5 and 014D<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_20352"> Variants or "merely visually similar"? <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_25512"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_25884">i and ı 0069 and 0131 <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_25996"> FYI, an experiment with a couple dozen native speakers of English found them unable to spot occurrences of the latter. Even when told that there was a variation on the letter I somewhere in the text.<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_23323"> Variants or "merely visually similar"? </div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_23725"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_23729">P.S. As may be obvious, the Latin GP is going to find it difficult to respond to the IP's query about whether various letters with a diacritic below are variants. And until we are clear on what the IP's <i>purpose</i> is in designating some kinds of similarity variants and others not, it will be impossible to respond to the Why? part of the query.<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_24124"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_24123">**********************************************************************************************************************************<br></div><div id="yui_3_16_0_ym19_1_1535743709491_17644"><br></div><div id="yui_3_16_0_ym19_1_1535743709491_24778"><br></div></div><div class="signature" id="yui_3_16_0_ym19_1_1535743709491_16670">Bill Jouris<br>Inside Products<br>bill.jouris@insidethestack.com<br>831-659-8360<br>925-855-9512 (direct)</div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1535743709491_17645"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1535743709491_17649" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1535743709491_17648"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1535743709491_17647"> <div dir="ltr" id="yui_3_16_0_ym19_1_1535743709491_17646"> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> "Tan Tanaka, Dennis via Latingp" <latingp@icann.org><br> <b><span style="font-weight: bold;">To:</span></b> "latingp@icann.org" <latingp@icann.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, August 31, 2018 1:43 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Latingp] From IP: Diacritics below a security risk?<br> </font> </div> <div class="y_msg_container"><br><div id="yiv0601733086"><style>#yiv0601733086 #yiv0601733086 --
_filtered #yiv0601733086 {panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv0601733086 {font-family:DengXian;panose-1:2 1 6 0 3 1 1 1 1 1;}
_filtered #yiv0601733086 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
_filtered #yiv0601733086 {panose-1:2 1 6 0 3 1 1 1 1 1;}
#yiv0601733086
#yiv0601733086 p.yiv0601733086MsoNormal, #yiv0601733086 li.yiv0601733086MsoNormal, #yiv0601733086 div.yiv0601733086MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}
#yiv0601733086 a:link, #yiv0601733086 span.yiv0601733086MsoHyperlink
{color:#0563C1;text-decoration:underline;}
#yiv0601733086 a:visited, #yiv0601733086 span.yiv0601733086MsoHyperlinkFollowed
{color:#954F72;text-decoration:underline;}
#yiv0601733086 p.yiv0601733086MsoListParagraph, #yiv0601733086 li.yiv0601733086MsoListParagraph, #yiv0601733086 div.yiv0601733086MsoListParagraph
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;font-family:sans-serif;}
#yiv0601733086 p.yiv0601733086MsoListParagraphCxSpFirst, #yiv0601733086 li.yiv0601733086MsoListParagraphCxSpFirst, #yiv0601733086 div.yiv0601733086MsoListParagraphCxSpFirst
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;font-family:sans-serif;}
#yiv0601733086 p.yiv0601733086MsoListParagraphCxSpMiddle, #yiv0601733086 li.yiv0601733086MsoListParagraphCxSpMiddle, #yiv0601733086 div.yiv0601733086MsoListParagraphCxSpMiddle
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;font-family:sans-serif;}
#yiv0601733086 p.yiv0601733086MsoListParagraphCxSpLast, #yiv0601733086 li.yiv0601733086MsoListParagraphCxSpLast, #yiv0601733086 div.yiv0601733086MsoListParagraphCxSpLast
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;font-family:sans-serif;}
#yiv0601733086 p.yiv0601733086msonormal0, #yiv0601733086 li.yiv0601733086msonormal0, #yiv0601733086 div.yiv0601733086msonormal0
{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}
#yiv0601733086 span.yiv0601733086EmailStyle19
{font-family:sans-serif;color:windowtext;}
#yiv0601733086 .yiv0601733086MsoChpDefault
{font-size:10.0pt;}
_filtered #yiv0601733086 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv0601733086 div.yiv0601733086WordSection1
{}
#yiv0601733086 </style><div>
<div class="yiv0601733086WordSection1">
<div class="yiv0601733086MsoNormal">Mirjana, et al</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal">Below is a proposed response to IP </div>
<div style="border:none;border-bottom:dotted windowtext 3.0pt;padding:0in 0in 1.0pt 0in;">
<div class="yiv0601733086MsoNormal" style="border:none;padding:0in;"> </div>
</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal">From: Latin GP<span style="font-size:12.0pt;"></span></div>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0in 0in 1.0pt 0in;">
<div class="yiv0601733086MsoNormal" style="border:none;padding:0in;">To: IP</div>
</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal">The Latin GP appreciates the additional input received on August 29, 2018 titled “Diacritics below a security risk?”.</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal">In its feedback, IP makes a case for potential security risks when certain diacritics below (e.g. dot and line below) are used in a domain name. The risk is not always apparent, but it reveals itself when the diacritic below is obscured
by an underline, which is the typical formatting feature of hyperlinks. The IP asserts “Of all diacritics, diacritics below can be difficult to distinguish or be prone to clipping”.</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal">Security risks deserve a place in our analysis, so Latin GP is committed to explicitly discuss this matter, resolve whether they constitute a security risk to the Root Zone and decide a solution vis-à-vis the LGR.</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal">On a related note, the Latin GP would like to get additional clarification regarding some of IP’s statements from the August 29 email:
</div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"> </div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"><i>“It can be argued users have no working understanding of typography and would not reliably interpret small gaps or bulges in the underline as being related to an unfamiliar code point”</i>.
</div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"><i> </i></div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"><i>“The IP would like to encourage the Latin GP […] to explicitly examine [the diacritics below] example and other cases like it, where code points can become indistinguishable in common usage scenarios for IDNs”</i>.
</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal">Some GP members would imply that IP is welcoming visual similarity or confusability as a criterion for variant definition (e.g. letters with diacritics acute and grave could be deemed indistinguishable, therefore variants). Other members
don’t agree with that reasoning. In this context, the Latin GP wants to confirm that prior guidance from IP (below), which we find consistent with the LGR Procedure, is not at odds with the August 29 email.</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal"> <u>LGR Procedure:</u></div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;">“Finally, in investigating the possible variant relations, Generation Panels should ignore cases where the relation is based exclusively on aspects of visual similarity.”</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoListParagraphCxSpFirst"><u><span style="font-size:11.0pt;">October 18, 2017: Principles for repertoire and variants – Feedback from IP</span></u></div>
<div class="yiv0601733086MsoListParagraphCxSpLast"><i><span style="font-size:11.0pt;">“In the context of the Root Zone, the Procedure is quite clear in that it considers simple similarity of appearance to be outside the scope of the Root Zone LGR.”</span></i><span style="font-size:11.0pt;">...
<i>“Having the Root Zone exhibit fundamentally different design decisions with respect to variants than those found on the second level would have to be justified by strong arguments based on factors special to the Root Zone.”</i></span></div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoListParagraphCxSpFirst"><u><span style="font-size:11.0pt;">March 22, 2017: Latin GP Proposal: IP Feedback</span></u></div>
<div class="yiv0601733086MsoListParagraphCxSpLast"><i><span style="font-size:11.0pt;">“The kinds of variants to be defined in the Root Zone LGR are limited to homoglyphs, which are characters essentially identical appearance by design, instead of merely similar appearance.”</span></i><span style="font-size:11.0pt;"></span></div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal">Sincerely,</div>
<div style="border:none;border-bottom:dotted windowtext 3.0pt;padding:0in 0in 1.0pt 0in;">
<div class="yiv0601733086MsoNormal" style="border:none;padding:0in;">Latin GP</div>
</div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086MsoNormal"> </div>
<div class="yiv0601733086yqt4391927825" id="yiv0601733086yqt42616"><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;">
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"><b><span style="font-size:12.0pt;color:black;">From:
</span></b><span style="font-size:12.0pt;color:black;">Latingp <latingp-bounces@icann.org> on behalf of Sarmad Hussain <sarmad.hussain@icann.org><br clear="none">
<b>Date: </b>Wednesday, August 29, 2018 at 2:58 AM<br clear="none">
<b>To: </b>Latin GP <latingp@icann.org><br clear="none">
<b>Subject: </b>[EXTERNAL] [Latingp] From IP: Diacritics below a security risk?</span></div>
</div>
<div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"> </div>
</div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;">Dear Latin GP members </div>
<div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"> </div>
</div>
<div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;">Kindly find below some feedback from IP for your consideration.</div>
</div>
<div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"> </div>
</div>
<div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;">Regards </div>
</div>
<div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;">Sarmad </div>
<div>
<div class="yiv0601733086MsoNormal" style="margin-left:.5in;"><br clear="none">
<br clear="none">
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<div class="yiv0601733086MsoNormal" style="margin-bottom:12.0pt;margin-left:.5in;">
<br clear="none">
TO: LatinGP<br clear="none">
FROM: IP<br clear="none">
<br clear="none">
There are recent and widely published examples of phishing attacks using Latin IDNs in which the key features involved were diacritics below the letter. Here is an example:</div>
<div style="margin-left:.5in;"><span style=""><img id="yiv0601733086_x0000_i1028" style="width:4.5625in;min-height:2.9791in;" src="cid:JU3zsqJa04qWFotd0PTc" yahoo_partid="1.2" alt="cid:part1.E6E9F88C.32B00687@ix.netcom.com" data-id="e4bbf1da-850c-1696-0845-7b10219dc32d" width="438" height="286"></span></div>
<div style="margin-left:.5in;"><span style="">Of all diacritics, diacritics below can be difficult to distinguish or be prone to clipping -- there is less space below the baseline than between the typical lowercase glyph and the top
of the line.</span></div>
<div style="margin-left:.5in;"><span style="">The example given above shows a further interaction with URL underlining - and not all display engines actually do as nice a job interrupting the underline as in the screen shot above.
For example, here is how one system will render this (using a designated UI font - Segoe UI):</span></div>
<div style="margin-left:.5in;"><span style=""><img id="yiv0601733086_x0000_i1027" style="width:1.927in;min-height:.3333in;" src="cid:015eA4alP9ojTUxlKuRt" alt="cid:part2.59964F92.16B1BC0B@ix.netcom.com" data-id="b234b150-f7a1-340c-5fa4-f1ca210ba44e" width="185" height="32"></span></div>
<div style="margin-left:.5in;"><span style="">Note, this code point (U+1E33) is in the MSR as is (U+1E35 LATIN SMALL K WITH LINE BELOW).</span></div>
<div style="margin-left:.5in;"><span style=""><img id="yiv0601733086_x0000_i1026" style="width:2.052in;min-height:.4895in;" src="cid:wCxJAQm6k8YqtJbeWn3Z" alt="cid:part3.99B9649E.C3C335FC@ix.netcom.com" data-id="b79a3539-9ef6-1c31-8590-476acde81529" width="197" height="47"></span></div>
<div style="margin-left:.5in;"><span style="">The second example contains U+1E35 -- while the effect does not show equally at all type sizes, from 12pt and below the LINE BELOW is reliably hidden. Here are the two examples at 10pt</span></div>
<div style="margin-left:.5in;"><span style=""><img id="yiv0601733086_x0000_i1025" style="width:1.052in;min-height:.5833in;" src="cid:IQGuIsPKsoBejjTQOBUR" alt="cid:part4.B43CE3FD.8C84EACF@ix.netcom.com" data-id="7df7435d-24bd-5674-2e48-08277d0e513f" width="101" height="56"></span></div>
<div style="margin-left:.5in;"><span style="">The issue is not limited to "K". We see "B", "D", "L" and "N" with both DOT and LINE BELOW and "M" and "H" with DOT BELOW, all on the same page in the MSR.</span></div>
<div style="margin-left:.5in;"><span style="">It can be argued users have no working understanding of typography and would not reliably interpret small gaps or bulges in the underline as being related to an unfamiliar code point.
This appears to make all diacritics below security-sensitive, however, the initial determination belongs to the relevant GPs.</span></div>
<div style="margin-left:.5in;"><span style="">Note by the way that the Devanagari LGR treats sequences containing NUKTA (a dot below) as variants in at least some cases and recent community comments for that script are calling for
more variant sequences. However, while the feature is graphically analog (dot below), each script works differently and there is no single a-priori solution.</span></div>
<div style="margin-left:.5in;"><span style="">The IP would like to encourage the LatinGP (and any other GP facing cases like this) to explicitly examine this example and other cases like it, where code points can become indistinguishable
in common usage scenarios for IDNs, and formally conclude whether and how to take these into account when designing their LGR.</span></div>
<div style="margin-left:.5in;"><span style="">At this point, the IP would expect the GP to:</span></div>
<div style="margin-left:.5in;"><span style="">* explicitly discuss this and other scenarios like it</span></div>
<div style="margin-left:.5in;"><span style="">* evaluate whether they constitute a security risk to the Root Zone</span></div>
<div style="margin-left:.5in;"><span style="">* come up with a reasoned decision as to whether and how to address them in the design of the Latin GP; and finally</span></div>
<div style="margin-left:.5in;"><span style="">* document both the decision and its rationale.</span></div>
<div style="margin-left:.5in;"><span style="">In coming to a decision, the GP may resolve:</span></div>
<div style="margin-left:.5in;"><span style="">1) to make them variants</span></div>
<div style="margin-left:.5in;"><span style="">2) to list them for attention as confusable</span></div>
<div style="margin-left:.5in;"><span style="">3) to take no action, because the GP feels that they do not represent a special security risk.</span></div>
<div style="margin-left:.5in;"><span style="">As part of the review of the Latin LGR, the IP will look at the background and rationale offered by the Latin GP in coming to its conclusion; note that if the IP feels that the facts considered
and rationale documented do not support the conclusion reached by the GP it may raise objections at that time.</span></div>
</div>
</blockquote>
</div>
</div></div>
</div>
</div></div><div class="yqt4391927825" id="yqt20329">_______________________________________________<br clear="none">Latingp mailing list<br clear="none"><a shape="rect" ymailto="mailto:Latingp@icann.org" href="mailto:Latingp@icann.org">Latingp@icann.org</a><br clear="none"><a shape="rect" href="https://mm.icann.org/mailman/listinfo/latingp" target="_blank">https://mm.icann.org/mailman/listinfo/latingp</a><br clear="none"></div><br><br></div> </div> </div> </div></div></body></html>