IETF Logo Mail Archive

Re: [apps-discuss] "finding registered domains"

Phillip Hallam-Baker <hallam@gmail.com> Wed, 13 March 2013 17:20 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8674A21F8C82 for <apps-discuss@ietfa.amsl.com>; Wed, 13 Mar 2013 10:20:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.149
X-Spam-Level:
X-Spam-Status: No, score=-3.149 tagged_above=-999 required=5 tests=[AWL=0.450, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X88nVTbnKOKU for <apps-discuss@ietfa.amsl.com>; Wed, 13 Mar 2013 10:20:44 -0700 (PDT)
Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE3B21F8507 for <apps-discuss@ietf.org>; Wed, 13 Mar 2013 10:20:44 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id fg15so1172560wgb.1 for <apps-discuss@ietf.org>; Wed, 13 Mar 2013 10:20:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=dZuhjHJS8+lQC00mCe+IUZiQixjKmnZbpKl3al7TJLM=; b=w6sJ1UmNjBfC0fnNn8aiiP3AjLXj6HxUc3b/mrqGy2HpJbeZAMLHxPgbhoor5QbLHF OtKYe7jTYWL8bhisjK+S3jBrfpruacLX5QxhLUq+huqA/6aPbEQ3rDX+jaH0yc5QnrPo 4w4S4qYZ8ZPHxVPAc9a8J9prg8EibqMj47gx8sF0v4YLqEn626PtQeFsQbVsHdb0I2j9 oIZhNAmPpK0e/iM7ykHLdfTzWa+2SKnPhLkdU5SwVVQbG2TgmD/60J33FXXCgps/4kcg 5I7P8LZPhd8kQCKQm1v8Fxdg2l9pjWgAQr6/7cwcGbNh/4aN3kd+DOEOmWFXdgFXQ4ey 4wyg==
MIME-Version: 1.0
X-Received: by 10.180.74.131 with SMTP id t3mr28337143wiv.26.1363195243177; Wed, 13 Mar 2013 10:20:43 -0700 (PDT)
Received: by 10.194.11.71 with HTTP; Wed, 13 Mar 2013 10:20:42 -0700 (PDT)
In-Reply-To: <20130313144321.37307.qmail@joyce.lan>
References: <83AFF07DE0F646C0860A0631F973E9D1@LENOVO47E041CF> <20130313144321.37307.qmail@joyce.lan>
Date: Wed, 13 Mar 2013 13:20:42 -0400
Message-ID: <CAMm+LwizGFr7RgtUFGjtJufRywtf0AJsVYO19TiwoN-SzJgyfA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: John Levine <johnl@taugh.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: apps-discuss@ietf.org
Subject: Re: [apps-discuss] "finding registered domains"
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2013 17:20:46 -0000

On Wed, Mar 13, 2013 at 10:43 AM, John Levine <johnl@taugh.com> wrote:
>>I am still not very clear about what the problem is and what the possilbe solution is.
>>
>> Could you kindly summarize it in one or two sentences ?
>
> I agree that use cases would help a lot.  The ones I'm aware of are:

+1

The presentation of the information in DNS terms is trivial. The whole
problem is knowing what information to present and why.



> * Web cookies: limit how high up the DNS tree a site can promote its cookies.

Also prevent cookie sharing across subtrees, especially to reduce
cross site contamination issues when some parts of a tree are
outsourced.

HTTP is not the only protocol with cookies. There are application
level cookies as well. Rule 81 applies here and probably provides
grounds for a corollary.

So if I outsource management of my shopping cart to a payment
processor and my Web site to a cheap hosting service I probably don't
want cookies set on one to be visible on the other.

My view is that anything more complex than defining a domain subtree
as a distinct administrative region from all others is going to be too
complex to implement securely.


> * DMARC and other mail authentication: find policy documents for a
> domain given one of its subdomains
>
> * SSL/TLS certificates: prevent certificate issue for names at or above public
> delegation points

Actually VeriSign would be perfectly entitled to obtain an SSL
certificate off a public root for .com

What would be *BAD* would be *.com

The use made of the public suffix list is rather more however. If
someone is applying for a.b.c.d.e.f.g.h.i.example.com it probably does
not have an email server on it. It might even be an appliance that
does not have SMTP capability. Sending an email to check ownership of
the domain is not going to work. The email would have to go to
admin@example.com.

Regardless of what the DNS mythology claims, the DNS administrator of
example.com has complete control over the subtree beneath it. That is
how the DNS is designed. If the owner of a.b.c.d.e.f.g.h.i.example.com
wants independence from example.com they have only one route and that
is to buy a domain of their own.

So while there are other applications where you might want to treat
different parts of the subtree as independent administrative domains
(ai.mit.edu might not want to share cookies with lcs.mit.edu) that is
not the case for CAs.

> * Variants: state that two parallel names are under the same management (has
> issues different from the previous three)

That would be an interesting and useful problem but I really don't
want to commit to going down that rathole. That looks to me like
something that might suggest that we need to think about an extensible
approach.

> R's,
> John
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email