I understand that IDN's are basically a GUI display change for domains that have a prefix of "xn--".
What should I advise companies do in regards to these domains?
For example, should companies actively seek out and register domains in alternative (similar looking) character sets? What tools, or logic should be followed?
Are there any known certificate validation issues?
The most risky are so called IDN-spoofing attacks that are possible due to visually similar symbols. That is some side-effect when trying to introduce Unicode.
Regarding this topic I can recommend official Unicode consortium technical report: http://www.unicode.org/reports/tr36/, titled Unicode Security Considerations and article on Wikipedia: http://en.wikipedia.org/wiki/IDN_homograph_attack, and some more interesting reading: http://www.lookout.net/test-cases/idn-and-iri-spoofing-tests/.
Also, as addendum - FireFox extension to protect yourself: https://addons.mozilla.org/en-US/firefox/addon/621/.
I wrote a small series explaining more about this a few years ago at www.lookout.net/tag/confusables/.
To answer your question, I would not suggest you advise companies to register all the confusable versions of their domains - it's not practical or possible. The ones who bear the responsibility here are the user-agents (Web browsers and email clients) and the registrars and registries who could work together to mitigate this problem more - but still not fully. I've put together a proposal for this and had my company build a library to assist user-agents or other software vendors in identifying confusables and IDN visual spoofing.
You can find a description of this 'confusable string detection' API at our site http://www.casaba.com/products/UCAPI/ and you may enjoy the related white paper which goes into some visual detail about the issue.
And as Ams points out the Unicode Technical Report 36 describes the issue as well.
