[arabic-vip] ZWNJ Possible Risks/Issues

Mon Sep 26 14:15:03 UTC 2011

Raed and all,

For sure there are many examples like these ones that point to the security risk of having ZWNJ. However there are also many other examples that show the necessity of using this character such as those sent earlier by others, and most are risk-free. So I think what we achieved during our last f2f meeting was the best solution to ZWNJ problem: For each gTLD application in Arabic script that intends to contain ZWNJ, let the ICANN technical team make a thorough examination of possible risks for that particular application (case-by-case) and decide whether to accept it or not. 

-
Alireza

On Sep 26, 2011, at 12:22 PM, Raed Al-Fayez wrote:

> Dear All,
>  
> The goal of this emails is just to share with you some of the possible risks/issues when using ZWNJ in domain names (as what many members have requested):
>  
> 1-      In Unicode the ZWNJ is considered to be an invisible join control character and listed in the "Unicode Security Considerations" document which means that there are a some kind of risk when using it.
> 2-      Arab users (and any user who do not know ZWNJ) will not be able to type the domain name (because they will think it is a space not ZWNJ) which will lead reachability problems.
> 3-      Urdu/Farsi users (and other users that know ZWNJ) may not be able to type the domain name when they use Arabic keyboards (e.g. airport/internet cafes outside their countries) which will lead reachability problems.
> 4-      I think the current IDNA RFCs does not totally solve the issue of ZWNJ and the TAH family (0637, 0638 or 069F) you can still generate two different A-labels sharing the same U-Label (look alike)! see these links:
> http://unicode.org/cldr/utility/idna.jsp?a=%D8%B7%D8%A8%D9%84%0D%0A%D8%B7%E2%80%8C%D8%A8%D9%84
> http://demo.icu-project.org/icu-bin/idnbrowser?t=%D8%B7%E2%80%8C%D8%A8%D9%84
>  
> <image001.jpg>
> 5-      Still there are other issues not only with the TAH family (0637, 0638 or 069F) but with other code points (for example 06BE & 06FF and there might be more that share the same problem).
> <image003.jpg>
> <image007.jpg>
>  
> 6-      When Unicode changes there might be a risk that newly added code point might have the same issues as the TAH group.
> 7-      ..etc
>  
> At the end I am not saying that ZWNJ is not important because we don't use it. I am fully aware that there are many languages use ZWNJ but the use in domain names might raise some risks/issues similar to what I have shown in this email.
>  
> With best regards,
> 
> Raed I. Al-Fayez
> ------------------------------------------
> Senior IT Projects Specialist, M.Sc, PMP
> Saudi Network Information Center (SaudiNIC) 
> Communication and Information Technology Commission (CITC)
> Tel: + 966-1-2639235   - Fax: + 966-1-2639393
> http://www.nic.net.sa
> 
> -----------------------------------------------------------------------------------
> Disclaimer:
> This message and its attachment, if any, are confidential and may contain legally
> privileged information. If you are not the intended recipient, please contact the
> sender immediately and delete this message and its attachment, if any, from your
> system. You should not copy this message or disclose its contents to any other
> person or use it for any purpose. Statements and opinions expressed in this e-mail
> are those of the sender, and do not necessarily reflect those of the Communications
> and Information Technology Commission (CITC). CITC accepts no liability for damage
> caused by this email.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1654 bytes
Desc: not available
Url : http://mm.icann.org/pipermail/arabic-vip/attachments/20110926/c0732de8/smime.p7s 