Re: [DNSOP] Public Suffix List

Gervase Markham <gerv@mozilla.org> Wed, 11 June 2008 12:13 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 87F7B3A67ED; Wed, 11 Jun 2008 05:13:08 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69DCA3A67ED for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 05:13:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.574
X-Spam-Level:
X-Spam-Status: No, score=-3.574 tagged_above=-999 required=5 tests=[AWL=-0.975, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQy8EmCSNA27 for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 05:13:06 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [91.135.15.56]) by core3.amsl.com (Postfix) with ESMTP id 03FBC3A67E6 for <dnsop@ietf.org>; Wed, 11 Jun 2008 05:13:05 -0700 (PDT)
Received: from grmarkham.plus.com ([80.229.30.161] helo=[192.168.1.6]) by haggis.mythic-beasts.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <gerv@mozilla.org>) id 1K6PAq-0003PI-PG; Wed, 11 Jun 2008 13:11:37 +0100
Message-ID: <484FC15E.8090804@mozilla.org>
Date: Wed, 11 Jun 2008 13:13:18 +0100
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Thunderbird 3.0a1 (X11/2008050714)
MIME-Version: 1.0
To: Jamie Lokier <jamie@shareable.org>
References: <484D52EC.1090608@mozilla.org> <C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org> <484D5B88.3090902@mozilla.org> <9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org> <484E52F4.5030402@mozilla.org> <20080610111454.GE25910@shareable.org> <87prqpum6n.fsf@mid.deneb.enyo.de> <484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl> <484F965A.1000709@mozilla.org> <20080611103103.GA25556@shareable.org>
In-Reply-To: <20080611103103.GA25556@shareable.org>
Received-SPF: none (haggis.mythic-beasts.com: domain of gerv@mozilla.org does not designate permitted sender hosts) client-ip=80.229.30.161 envelope-from=gerv@mozilla.org helo=[192.168.1.6]
X-BlackCat-Spam-Score: -11
Cc: dnsop@ietf.org, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org, Jelte Jansen <jelte@NLnetLabs.nl>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

Jamie Lokier wrote:
> Oh?  How is this reconciled with earlier comments that
> login.mybank.co.uk and accounts.mybank.co.uk are grouped together - or
> is the Public Suffix List only for history grouping in browsers, not
> for cookie sharing?

I'm not sure that either dnsop or ietf-http-wg are interested in a
discussion about the inner workings of cookies and Firefox's use of the
list. But briefly:

login.mybank.co.uk and accounts.mybank.co.uk can be grouped together
because we group by "public suffix + 1" - in this case, mybank.co.uk,
with the public suffix being .co.uk and so +1 being mybank.co.uk.
(Without the list, all .co.uk sites would be grouped together.)

Cookies are set for a particular domain or domain suffix, and are sent
to all sites with that domain suffix. So (under the current code)
www.mybank.co.uk can set cookies for either www.mybank.co.uk (shared
with foo.www.mybank.co.uk but not login.mybank.co.uk), mybank.co.From dnsop-bounces@ietf.org  Wed Jun 11 05:13:08 2008
Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 87F7B3A67ED;
	Wed, 11 Jun 2008 05:13:08 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 69DCA3A67ED
	for <dnsop@core3.amsl.com>om>; Wed, 11 Jun 2008 05:13:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.574
X-Spam-Level: 
X-Spam-Status: No, score=-3.574 tagged_above=-999 required=5
	tests=[AWL=-0.975, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id DQy8EmCSNA27 for <dnsop@core3.amsl.com>om>;
	Wed, 11 Jun 2008 05:13:06 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com
	[91.135.15.56]) by core3.amsl.com (Postfix) with ESMTP id 03FBC3A67E6
	for <dnsop@ietf.org>rg>; Wed, 11 Jun 2008 05:13:05 -0700 (PDT)
Received: from grmarkham.plus.com ([80.229.30.161] helo=[192.168.1.6])
	by haggis.mythic-beasts.com with esmtpsa
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63)
	(envelope-from <gerv@mozilla.org>)
	id 1K6PAq-0003PI-PG; Wed, 11 Jun 2008 13:11:37 +0100
Message-ID: <484FC15E.8090804@mozilla.org>
Date: Wed, 11 Jun 2008 13:13:18 +0100
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Thunderbird 3.0a1 (X11/2008050714)
MIME-Version: 1.0
To: Jamie Lokier <jamie@shareable.org>
References: <484D52EC.1090608@mozilla.org>
	<C5894EBB-D4AA-40AD-8A38-2F4CD8A07D66@virtualized.org>
	<484D5B88.3090902@mozilla.org>
	<9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org>
	<484E52F4.5030402@mozilla.org>
	<20080610111454.GE25910@shareable.org>
	<87prqpum6n.fsf@mid.deneb.enyo.de>
	<484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl>
	<484F965A.1000709@mozilla.org>
	<20080611103103.GA25556@shareable.org>
In-Reply-To: <20080611103103.GA25556@shareable.org>
Received-SPF: none (haggis.mythic-beasts.com: domain of gerv@mozilla.org does
	not designate permitted sender hosts) client-ip=80.229.30.161
	envelope-from=gerv@mozilla.org helo=[192.168.1.6]
X-BlackCat-Spam-Score: -11
Cc: dnsop@ietf.org, David Conrad <drc@virtualized.org>rg>, ietf-http-wg@w3.org,
	Jelte Jansen <jelte@NLnetLabs.nl>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

Jamie Lokier wrote:
> Oh?  How is this reconciled with earlier comments that
> login.mybank.co.uk and accounts.mybank.co.uk are grouped together - or
> is the Public Suffix List only for history grouping in browsers, not
> for cookie sharing?

I'm not sure that either dnsop or ietf-http-wg are interested in a
discussion about the inner workings of cookies and Firefox's use of the
list. But briefly:

login.mybank.co.uk and accounts.mybank.co.uk can be grouped together
because we group by "public suffix + 1" - in this case, mybank.co.uk,
with the public suffix being .co.uk and so +1 being mybank.co.uk.
(Without the list, all .co.uk sites would be grouped together.)

Cookies are set for a particular domain or domain suffix, and are sent
to all sites with that domain suffix. So (under the current code)
www.mybank.co.uk can set cookies for either www.mybank.co.uk (shared
with foo.www.mybank.co.uk but not login.mybank.co.uk), mybank.co.ukuk
(shared with login.mybank.co.uk but not adserver.co.uk) or co.uk (shared
with adserver.co.uk but not with myorg.org.uk).

It is this latter use we want to prevent. We can do so by stopping
cookies being set for any domain which is a public suffix.

(Again, I comment that cookies are not the only way we are using this
information.)

Gerv
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop



(shared with login.mybank.co.uk but not adserver.co.uk) or co.uk (shared
with adserver.co.uk but not with myorg.org.uk).

It is this latter use we want to prevent. We can do so by stopping
cookies being set for any domain which is a public suffix.

(Again, I comment that cookies are not the only way we are using this
information.)

Gerv
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop