After much discussion, email@example.com and firstname.lastname@example.org have agreed a short-term strategy for dealing with the recently-publicised issues relating to IDN and domain spoofing.
First off, we want to make it clear: we support Opera’s position that this is a registrar/registry problem. These issues were known when IDN was proposed, guidelines were developed for avoiding the problem by restricting registrations, and the DNS registration organisations need to step up and implement them. (Certificate Authorities should also, as a simple matter of acting responsibly, not issue certs for domains which are part of a homographic block registered to two or more entities.)
However, we also have a duty to protect our users. So, in the mean time, the enableIDN preference will be set to “false” in Firefox 1.0.1 and Mozilla 1.8 beta, including all official localisations. An XPI will be made available to turn it on again; this XPI will make the risks of doing so clear. This means that by default, links to IDN domains which use the Unicode rather than the punycode form for the href will fail, and the browser will display any IDN domain visited in its raw form.
In the future (Firefox 1.1 and beyond) we hope to be able to turn IDN back on again. We may be able to find a way to turn it on selectively for those TLDs which have a demonstrable record of good practice – but we can’t promise to do that. It partly depends on how much resource maintaining a white or black list would take. (To help with that decision, please tell me of any instances where the registration of two homographic domains to different entities has happened in TLDs other than .com.)
So if people want to see full, unrestricted IDN back in Mozilla and Firefox, the best way is to put pressure on the world’s registrars and registries to fulfil their obligations to their customers – both domain owners and Internet users – and commit to implementing the ICANN guidelines.