I’m currently sitting in the ICANN IDN workshop in Vancouver, Canada. It’s past 7pm now, and we’ve been here since half past twelve. It’s been very interesting, if long. The main focus of the session is IDN at the top level – IDN TLDs – but we also had an hour on IDN at the second level, where Michel Suignard of Microsoft and I gave presentations on IDN in IE and Mozilla respectively.
One feature IE’s IDN implementation has which we are not proposing to adopt is that it has a notion of “scripts that you know about”, and if you visit a website using an IDN in a script you don’t know, it displays the IDN as punycode and gives you a yellow security warning bar.
I think this idea is very worrying, because it balkanises the Internet. Instead of a global namespace, you have lots of smaller ones with mutual distrust between them. This seems to me to be counter to the very idea of IDNs – that everyone in the world is placed on the same level, rather than the current situation where Latin-based languages and English are the first-class citizens. It would also have a deterrent effect on IDN uptake. Who is going to use an IDN name if an unknown percentage of web surfers are going to get given a security warning when they visit it? This is particularly bad for users of minority scripts, who almost no-one is going to trust be default.
From an implementation perspective, it also has practical problems. How is an Iranian going to react when he visits an Internet cafe in the US and is told that all his websites are suspicious? What about computers used by multiple people, each of which knows a different set of scripts? (E.g. a house where the father happens to have learnt Chinese at night school, but the rest of the family don’t know it.) It also means that your browser needs additional configuration because of IDN, which I believe should be an active anti-goal of our IDN work.
But I also can’t see the point. What risk does it mitigate? As long as it doesn’t look like the domain name of my bank (and there are other mechanisms for dealing with that), where is the risk for me in visiting a domain whose name happens to be in Russian, or Chinese? I can’t see one.
I hope that Microsoft change their mind and remove this feature.