Re: [apps-discuss] "finding registered domains"

[Phillip Hallam-Baker <hallam@gmail.com>]

On Wed, Mar 13, 2013 at 12:41 AM, MH Michael Hammer (5304)
<MHammer@ag.com> wrote:

> I'm not asking these things to be snarky - I'm really not clear on the thinking here. In the email authentication space we've always gone to some lengths to avoid imposing new standards (SPF, DKIM, DMARC) on folks that don't really care to participate. I'm also concerned because my experience is that so many admins/domain owners get even the simplest DNS records wrong in implementation.

That is why I am concentrating on getting the new TLDs issued by ICANN
to publish records that say 'this is a public delegation point' that
would be used as input to prefix lists. That has a plausible
deployment model.

The way I would word this problem is that any protocol that depends on
more than 5% of parties to deploy before it provides value is doomed
and to be successful it probably needs to provide value at a much
lower deployment.


>> There's something slightly awkward about this for the CA case, however,
>> when you have deep trees and you want a wildcard cert that descends the
>> tree from example.com.  I'm still not sure what to do about that, because it's
>> going to be impossible to enumerate all the names under a wildcard (and
>> anyway, you can't do multi-label wildcards).  I remain a little unhappy about
>> this, but it strikes me that anyone doing wildcard certs for deep trees may be
>> in a world of hurt anyway, and it would be better to add an additional SOPA
>> record for (for instance) *.oneIactuallyWant.example.com.

Wildcards are only one reason that CAs use the public prefix list.
Obviously a wildcard certificate for *.co.uk would be undesirable.

Mere presence of a DNS record is not going to cause a CA to
automatically change their policy on *.co.uk wildcards. But
publication of a record might well cause an exception to be signaled
for human administrator review.


-- 
Website: http://hallambaker.com/