Re: [apps-discuss] "finding registered domains"
Andrew Sullivan <ajs@anvilwalrusden.com> Wed, 13 March 2013 03:27 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3853311E80F9 for <apps-discuss@ietfa.amsl.com>; Tue, 12 Mar 2013 20:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.804
X-Spam-Level:
X-Spam-Status: No, score=-0.804 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPSdWqn9WBwz for <apps-discuss@ietfa.amsl.com>; Tue, 12 Mar 2013 20:27:25 -0700 (PDT)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id AB88111E80D1 for <apps-discuss@ietf.org>; Tue, 12 Mar 2013 20:27:25 -0700 (PDT)
Received: from mx1.yitter.info (dhcp-46aa.meeting.ietf.org [130.129.70.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 3F8208A031 for <apps-discuss@ietf.org>; Wed, 13 Mar 2013 03:27:25 +0000 (UTC)
Date: Tue, 12 Mar 2013 23:26:55 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: apps-discuss@ietf.org
Message-ID: <20130313032655.GD41909@mx1.yitter.info>
References: <CAL0qLwaGY0TYOndAUgbVYG5qDKKfP2U5Wuc5+oBXgyJ_kz9wSg@mail.gmail.com> <CAL0qLwYq1bgUykCfPQz7tvMBsxyfXSyBDTQQp=VQPu=74v_G0w@mail.gmail.com> <20130311210857.GG38441@mx1.yitter.info> <CAL0qLwY9YyLpHF9XYbm5zCC1+3PzCtdcmgyC6eiQ-P7QBKiDyA@mail.gmail.com> <20130312184051.GE39324@mx1.yitter.info> <CAL0qLwaD_6k36ZzAFO_KKkP=ud_Cd=-4P+vH_UQ58p6BcuY25A@mail.gmail.com> <20130312202442.GE41728@mx1.yitter.info> <CAL0qLwbg6CxtGO=b+iEtDXw3-FG1Rjr1QG_hcgxiGo5P7fPqgA@mail.gmail.com> <20130312205006.GI41728@mx1.yitter.info> <CAL0qLwb_X=WeNE8Hp9HWnd64OvZCu0bgdmDaw5Gct_VEsY45MA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL0qLwb_X=WeNE8Hp9HWnd64OvZCu0bgdmDaw5Gct_VEsY45MA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [apps-discuss] "finding registered domains"
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2013 03:27:26 -0000
On Tue, Mar 12, 2013 at 06:58:28PM -0400, Murray S. Kucherawy wrote: > In my use case, it's defined that an example.com policy is used (if it > exists) in the absence of a foo.bar.example.com policy. The problem is I > don't know how far up the tree to make that second query. In order for that to be defined, you put a SOPA record at foo.bar.example.com that says "example.com". If you have no SOPA record, the policy for foo.bar.example.com is "nobody else shares this". This is a "default closed" policy, which I think has to be the right one. There's something slightly awkward about this for the CA case, however, when you have deep trees and you want a wildcard cert that descends the tree from example.com. I'm still not sure what to do about that, because it's going to be impossible to enumerate all the names under a wildcard (and anyway, you can't do multi-label wildcards). I remain a little unhappy about this, but it strikes me that anyone doing wildcard certs for deep trees may be in a world of hurt anyway, and it would be better to add an additional SOPA record for (for instance) *.oneIactuallyWant.example.com. > So in my case I explicitly will believe the parent/grandparent/whatever > statement, but I don't know how far up to go, and I don't want to ask > everyone; I only want to ask at most two questions. As long as you have the pointer up the tree, that should work. A -- Andrew Sullivan ajs@anvilwalrusden.com
- [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Patrik Fältström
- Re: [apps-discuss] "finding registered domains" Paul Hoffman
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Patrik Fältström
- Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
- Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" =JeffH
- Re: [apps-discuss] "finding registered domains" J. Trent Adams
- Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
- Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
- Re: [apps-discuss] "finding registered domains" Hill, Brad
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
- Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
- Re: [apps-discuss] "finding registered domains" John Levine
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Peter Saint-Andre
- Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" J. Trent Adams
- Re: [apps-discuss] "finding registered domains" Murray S. Kucherawy
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" MH Michael Hammer (5304)
- Re: [apps-discuss] "finding registered domains" Jiankang YAO
- Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
- Re: [apps-discuss] "finding registered domains" John Levine
- Re: [apps-discuss] "finding registered domains" Phillip Hallam-Baker
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Hugo Salgado
- Re: [apps-discuss] "finding registered domains" Behnam Esfahbod
- Re: [apps-discuss] "finding registered domains" Hill, Brad
- Re: [apps-discuss] "finding registered domains" Hill, Brad
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Andrew Sullivan
- Re: [apps-discuss] "finding registered domains" Stephane Bortzmeyer
- Re: [apps-discuss] "finding registered domains" John R Levine
- Re: [apps-discuss] "finding registered domains" Stephane Bortzmeyer
- Re: [apps-discuss] "finding registered domains" John R Levine