[benatkin]

So should those with accented characters, but those can easily be used for phishing. It would be arguably unfair to allow Chinese and Japanese characters but not allow accent marks. Perhaps only partially supporting international characters would be better than only supporting ASCII, but that's the status quo.

That said, Chrome supports them both. here's cañon.com (which is just a parked site): http://xn--caon-hqa.com/ There is also http://xn--ms-mia.com/ (más.com) which redirects.

I know Chrome has done some stuff to prevent problems and understand when people just make the easy choice and show the punycode though.

[saurik]

The letter "c" can also be used to "phish" people who want a domain name that should include the letter "o" and yet we don't say the letter "c" is disallowed :/. The premise of domain names being your source of security is what is broken: we should be helping end users by scoring domains based on some combination of page rank and a web of trust implicitly built out of their existing address books, so when they are sent to bankcfamerica.com it shows up as "likely a wrong URL" without them having to squint at the domain name to notice the "c" (at which point we can probably also replace domain names with a post-scarcity collision-tolerant naming system, which would be absolutely glorious).