Re: [apps-discuss] "finding registered domains"

[Andrew Sullivan <ajs@anvilwalrusden.com>]

On Sun, Mar 10, 2013 at 03:12:30PM -0400, Phillip Hallam-Baker wrote:
> I think that there are two separate sets of security requirements here
> and there is therefore a need to be able to state either
> 
> * This domain is a public delegation point
> * This domain is NOT a public delegation point.
> 
> Andrew's proposal seems to be limited to the security issues of
> cookies.

I don't see why.  In fact, quite the opposite.  

I think the "public delegation point/not public point" dichotomy is
too narrow.  In general, we can say that for administrative purposes,
there are possible close administrative relationships between names.
One such relationship is "none".  If such a name also has any
names beneath it, then for the purposes of cookies (or CAs, or
anything else) it is a public "delegation" point.  (Note the scare
quotes.  Delegation is strictly speaking a matter of adding apex
records at that point in the DNS graph.  But that's not relevant here:
think of "web hotel" kind of cases, which needn't delegate and yet are
clearly cases where the different names are not in the same
administrative realm.) 

If you don't treat the "is this a public delegation point?" as an
empirical matter (are there names beneath me?), then you are subject
to assertions by people that they do not do public delegation, when in
fact they do.  I'm sure there's some genius in some new TLD applicant
company who would like to turn that into a "feature".

> the security concerns are rather different as a result. In particular
> CAs are only ever going to consider information retrieved from the DNS
> as 'evidence'. It is never going to be considered to be 'proof' and
> never relied on to the exclusion of any other information.

Of course.  It's the DNS, not the Lord's Promise Protocol :)

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com