Ability to disallow confusing unicode characters to prevent homoglyph phishing attacks

[alanhamlett]

When emails contain unicode characters that look similar to ascii characters, an attack vector is possible anytime we display the unicode email as an identifier of a user without punycode encoding the displayed email.

It would be nice to have an option to make confusing unicode characters fail email validation, but might be outside the scope of this library since it depends on the external confusables.txt data file from unicode.org?

The Unicode Consortium's Visual Spoofing Recommendations agree with this solution as a better alternative than blocking all unicode characters in domains and emails.

[JoshData]

I'm reluctant to address security issues like this without fully understanding a specific use case that we're trying to solve because then I have a feature that I don't know if it solves a problem. For example I'm not sure whether the confusable characters lost actually solves the problem or if it just removes some cases but leaves open exploitable possibilities.