W3C home > Mailing lists > Public > public-iri@w3.org > November 2009

RE: phishing in IRIs

From: Shawn Steele <Shawn.Steele@microsoft.com>
Date: Wed, 25 Nov 2009 20:12:29 +0000
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
CC: Larry Masinter <masinter@adobe.com>, "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Message-ID: <E14011F8737B524BB564B05FF748464A04456FC3@TK5EX14MBXC139.redmond.corp.microsoft.com>
> What I am saying is that spoofing of IRIs with the domain name part is a much greater problem than spoofing with IRIs in the rest of the IRI.

I don't disagree with that :)  But you extended it (I thought) to "the IDNs in the IRIs", which I don't see any evidence of.  Phishers abuse domain name certainly, but they still use all-ASCII.

> The IETF has a tradition of putting security considerations in the main document, not as a separate document.

I'm concerned that to fully address the issues of security considerations in IRIs would take quite a bit of space.  I'm also concerned that some aspects might be lead to a lot of discussion, as there probably isn't one "right" way to handle IRI security.  An effective security document for IRIs IMO would be comparable to trying to address how to handle spam in email.  So maybe the WG could consider mentioning some security concerns in the main document and provide a further document that describes security in more detail?  For example, I think the discussion of safe-yourbank.com IRIs is interesting, but I'm not sure the main document is the right place for all of that discussion.

-Shawn
Received on Wednesday, 25 November 2009 20:13:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 April 2012 19:51:56 GMT