<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Hi Asmus, <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>As a chair of Cyrillic GP, I must assure you that I know all those things you have just explained. </span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Thanks for very good explanation, and yes, we done wonderful job with cross-script homoglyphs, but it seems to me that I need to explain something else> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>in my mind there is no question of Latin brand written on Arabic script. I use to work for brand </span><span lang=SR-CYRL-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Политика</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> / Cyrillic brand, so I am thinking about Cyrillic brands on Arabic, Armenian, Greek, Latin…</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> <span lang=SR-CYRL-RS><o:p></o:p></span></span></p><p class=MsoNormal><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>All in all - I was saying that because of possible confusion between all scripts – not only related to „ASCII brands“.<o:p></o:p></span></p><p class=MsoNormal><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>And again, maybe I am wrong, just discussing </span><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>For certificates – in other email.<o:p></o:p></span></p><p class=MsoNormal><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Cheers,<o:p></o:p></span></p><p class=MsoNormal><span lang=SR-LATN-RS style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Dusan<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> Asmus Freytag (c) [mailto:asmusf@ix.netcom.com] <br><b>Sent:</b> Friday, April 21, 2017 9:01 PM<br><b>To:</b> Dusan Stojicevic <dusan@dukes.in.rs>; nalini.elkins@insidethestack.com; 'Vittorio Bertola' <vittorio.bertola@open-xchange.com>; ua-discuss@icann.org; 'Edmon Chung' <edmon@registry.asia><br><b>Subject:</b> Re: [UA-discuss] IDN Implementation Guidelines [RE: Re : And now about phishing...]<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On 4/21/2017 10:11 AM, Dusan Stojicevic wrote:<o:p></o:p></p></div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre><o:p> </o:p></pre><pre>And these are just brand names with Cyrillic... more of them can be made with other scripts (Armenian, Georgian, Greek, Arabic...).<o:p></o:p></pre></blockquote><p class=MsoNormal><br>Just hold on a minute. <br><br>We've just done a pretty thorough first pass over cross-script homoglyphs (the identical-looking code points, not the "looks the same if you squint at them at arms-length" variety).<br><br>The conclusion is that Armenian has a small number of letters (q, h, n, u, o, and possibly g) that might qualify. In some fonts, they are rendered practically identically, in others not so much:<br><img width=190 height=55 id="_x0000_i1025" src="cid:image001.png@01D2BAF8.DCD97420"><br><br>They are also less "useful" for whole script confusables, as they lack certain high frequency letters like "e", "a", "i", and "s"<o:p></o:p></p><pre><i>Armenian<o:p></o:p></i></pre><pre> x x x x x x<o:p></o:p></pre><pre><b>etaoinshrdlcumwfgypbvkjxqz<o:p></o:p></b></pre><pre>x xxx xx x xx x <o:p></o:p></pre><pre><i>Cyrillic<o:p></o:p></i></pre><p>Now for Georgian, the same review concluded there is no high fidelity overlap (near identical pair of code points).<o:p></o:p></p><p>In Greek you have a real issue only to the extent that you show the address in uppercase. Most of the lowercase letters are pretty distinct (except for omicron, and nu (ν) looks more than a little bit like "v"). We had a strong debate on whether to take uppercase into account when deciding which code points constitute cross-script variants.<o:p></o:p></p><p>The conclusion we had was that the protocol is limited to lowercase for a reason.<o:p></o:p></p><p>If you consider uppercase, you get different pairs based on the two cases.<o:p></o:p></p><p>Capital N looks like "N", lowercase nu looks like "v". If you require variants to be transitive (very necessary for optimized evaluation), then you get "n" as a variant of "v" in Latin!<o:p></o:p></p><p>It works like this: Lowercase n is a case variant of cap N, N is a (homoglyph-)variant of Cap Nu, Cap Nu is a (case-)variant of lowercase nu, lowercase nu is a (homoglyph-)variant of v. When you traverse this chain, which is what defines transitivity, you can get from "n" to "v" inside the same script.<o:p></o:p></p><p>We figured that we had reached the limit of what you can address with variants in the registries at this point.<o:p></o:p></p><p>Finally, as for Arabic, I would like to see an example of a Latin label spoofed using only Arabic letters.<o:p></o:p></p><p>(It's possible to write "English" using Chinese characters that vaguely look like letters of the alphabet, but while you can read such texts, they look rather odd).<o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre><o:p> </o:p></pre><pre>Also agree entirely with Vittorio, and just want to add another layer of the problem - epic.com example use https, and while GeoTrust and at least one other CA have stopped issuing automated certificated for IDNs sometime ago for other reasons, this trend will be expected for others to follow.<o:p></o:p></pre></blockquote><p class=MsoNormal><br>Displaying some details about the domain/certificate owner (see my previous message) would seem to be more useful than showing an IDN as impenetrable xn-- label. The former works for phishing attacks against any scripts, the latter is only useful for people who can be expected to work entirely without IDNs.<br><br>A./<o:p></o:p></p></div><div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br />
<table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 13px;"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" width="46" height="29" style="width: 46px; height: 29px;" /></a></td>
<td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link" target="_blank" style="color: #4453ea;">www.avast.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body></html>