Re: [apps-discuss] "finding registered domains"

["Hill, Brad" <bhill@paypal-inc.com>]

...
> >  3) I think if this is going to live in the DNS, it should respect
> > the structure of, and say things about, the DNS, rather than
> > describing a distinct and arbitrary overlay topology of
> >  administrative trust relationships.
> 
> Just to be careful here, no matter _what_ we do, we are describing an arbitrary
> overlay topology of administrative trust relationships.
> That is necessarily true, because the relationships that currently exist in the
> DNS are DNS-topological only.  People are _used_ to the idea that names are
> related to one another in particular ways, and as a cultural fact that is mostly
> true; but in the not very distant past, it wasn't, and there's reason to suppose it
> might not obtain in the near future.

[Hill, Brad] Well, I meant to respect the basic structure as a tree that (mostly) directly encodes only ancestor / descendant relationships, rather than arbitrary cross-linkages across different branches.  (CNAME notwithstanding) As a matter of how the DNS works, and how it will continue to work for things like DNSSEC, the DNS admin of a given label has control of descendant labels.  The hierarchy of control is more than just implied.

...

> > 4) I am also concerned with mixing the state of siblings as to whether
> > they share an administrative relationship with the parent or not.
> > Whether the depth in the DNS hierarchy is a "real" thing or not, it
> > has been treated as such and been a part of the web security model for
> > almost 20 years.  The "walk towards the root until you find a
> > boundary, and all siblings are equal" procedures apply not just for
> > setting cookies, but to core JavaScript and therefore the Same Origin
> > Policy through a feature known as "domain lowering".
> 
> I take very seriously the argument that there is an existing and widely-deployed
> model.  I note, however, that the widely-deployed model is about to be thrown
> out anyway, regardless of how we feel about it.  For a significant number of the
> new TLDs are so-called ".brand" TLDs, and I'm pretty sure that the operators of
> .megacorp are going to want to be able to set shared cookies in
> www.megacorp and product1.megacorp and so on.
> 
> It seems to me, however, that we might need a way to make this sort of
> behaviour the default.  The wildcard trick was intended to make that easy, but
> I'm not perfectly sure it will.
> 

Allowing cookies or document.domain to be lowered to a gTLD controlled by a single entity is not quite "throwing out" the current model, it is just changing the depth of the hard stop - the algorithm and basic model otherwise remains totally intact.  In contrast, changes differentiate domain lowering properties among siblings at the same depth are a much more substantial change to how the Web security model works and increases the complexity of the algorithms and implementations, the mental model for users, and the complexity and size of the data needed to support that model. 

-Brad