Re: [apps-discuss] "finding registered domains"

Andrew Sullivan <> Thu, 14 March 2013 20:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1298E21F8E21 for <>; Thu, 14 Mar 2013 13:14:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.84
X-Spam-Status: No, score=-0.84 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YpjMwjVJ20Iu for <>; Thu, 14 Mar 2013 13:14:24 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8DD4521F8B2B for <>; Thu, 14 Mar 2013 13:14:24 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id E31DA8A031 for <>; Thu, 14 Mar 2013 20:14:23 +0000 (UTC)
Date: Thu, 14 Mar 2013 16:14:22 -0400
From: Andrew Sullivan <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [apps-discuss] "finding registered domains"
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Mar 2013 20:14:25 -0000

On Wed, Mar 13, 2013 at 06:56:47PM +0000, Hill, Brad wrote:
> admin of a given label has control of descendant labels.  The
> hierarchy of control is more than just implied.

This hierarchy is a straight artifact of the hierarchical name space.  So
yes, but once you've performed delegation you can't control what
happens on the other side of the zone cut (except by removing the
delegation).  Or, of course, maybe you can: maybe you're the same
organization.  This is sort of the point of what we're trying to do:
there's no way to read that distinction from the DNS today.
> algorithm and basic model otherwise remains totally intact.  In
> contrast, changes differentiate domain lowering properties among
> siblings at the same depth are a much more substantial change to how
> the Web security model works and increases the complexity of the
> algorithms and implementations, the mental model for users, and the
> complexity and size of the data needed to support that model.

Well, yes, but people are doing this anyway, with really lousy
security now.  So it feels to me like we need to support it, even if
we put in a deployment note making observations about what the
experience might be particularly during early deployment.  And after
all, it is entirely possible to support the present model of operation
in the approach I've outlined.


Andrew Sullivan