Re: [DNSOP] Public Suffix List

Andrew Sullivan <> Mon, 09 June 2008 14:29 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 341713A6BC7; Mon, 9 Jun 2008 07:29:16 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 036C13A6BC7 for <>; Mon, 9 Jun 2008 07:29:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.503
X-Spam-Status: No, score=-1.503 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ANKVfBljMqyb for <>; Mon, 9 Jun 2008 07:29:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2ABD03A6B0E for <>; Mon, 9 Jun 2008 07:29:13 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id m59EV3AN025657 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 Jun 2008 07:31:06 -0700
Date: Mon, 09 Jun 2008 10:29:27 -0400
From: Andrew Sullivan <>
To: Gervase Markham <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.17 (2007-11-01)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 ( []); Mon, 09 Jun 2008 07:31:07 -0700 (PDT)
Subject: Re: [DNSOP] Public Suffix List
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Mon, Jun 09, 2008 at 11:00:39AM +0100, Gervase Markham wrote:

> The following email message will shortly be sent to the technical
> contact for all TLDs. Yngve Pettersen at Opera suggested that I also let
> you both know about it.
> The technology in question, including a version of the list, is about to
> ship in Firefox 3, but we'd like to verify and improve the quality of
> the underlying data.

Is there any way to turn this off in Firefox 3?  Because it seems to
me (as I argued before in response to Yngve's I-D) that this is a
spectacularly bad idea.

RFC 3696 explains, I think, most of the reasoning that I would offer
for why I think this is a bad idea.  I urge you and others who are
planning to ship this kind of feature to go (re)read that RFC.

I know that you have a security problem, which is that cookies are
widely used for some purposes in such a way that they can be
subverted.  That's a problem with the cookies specification, which was
always broken. 

If you're not going to fix the cookies specification (which is what I
think you ought to do, but I understand why people are reluctant to
take that on), then there should at least be some way to publish data
about the relationship you want to permit.  One way to do this would
be to figure out a way to publish lists of domains for which a given
domain publishes cookies, and from which a given domain accepts
cookies.  In a DNSSEC context, this could be a secure way of
communicating such data without resorting to hard-coded lists.  Loathe
as I am to suggest yet another way of loading up the DNS, I expect it
could be done with a DNS RR.

I still run into problems with email addresses in .info domains not
being accepted, because the top level domain label is "too long".
This is years after .info went into the root, and yet we have these
old hard-coded rules hanging about the Internet.  It was a bad idea
when they did it then, and it's a bad idea to do it now.

Best regards,

Andrew Sullivan
+1 503 667 4564 x104
DNSOP mailing list